Thursday, July 7, 2011

Implementing an NDES server

CA requirments
Two certificates templates have to be made available for enrolment at the designated CA , they will be enrolled and issued to the NDES server.

• Exchange Enrolment Agent (Offline Request), the NDES server will use this certificate to assign certificates to requestors.
• CEP Encryption, the NDES this certificate for key exchange with issuing CA.


In addition to the above two certificates, must also publish the following 3 certificate templates to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP
If the templates are not designated to the registry, then NDES will issue IPsec (Offline Request )certificate template, [How can I change this?] which can be used for signing or encrypting data.
• SigningTemplate
• EncryptionTemplate
• GeneralPurposeTemplate

All of them will appear in the registry, if the NDES installed successfully.
Permission Requirements / SErvice Account

Service Account
• Service Account, with local admin rights on the NDES server,
• iis_user numbership in the local account,
• has right to request certificates at the issuing CA
• Be assigned the right to enrol the designated singing, encryption and signing and encryption certificate templates, based on the three certificate templates.


The service account should be created before the NDES installation.
Install NDES
Configuring NDES

Registry key values

At this stage, all the NDES server setting have to be configured in the registry key values, after the changed have been made, you need restart IIS service on the NDES server.
The following table is the key values and the meanings.
Key\Value or Value Type Default Usage
EnforcePassword\EnforcePassword DWORD 1 1 = MSCEP requires a password for enrollment requests.
0 = Passwords are not enforced.
SignatureTemplate String IPSECIntermediateOffline If this key is set, the service will use the value as the certificate template name when the device sends an enrollment request with 0x80 value for the KeyUsage extension. If it is not set, the service will use the IPSECIntermediate
Offline template.
EncryptionTemplate String IPSECIntermediateOffline If this key is set, the service will use the value as the certificate template name when the device sends an enrollment request with 0x20 value for the KeyUsage extension. If it is not set, the service will use the IPSECIntermediate
Offline template.
GeneralPurposeTemplate String IPSECIntermediateOffline If this key is set, the service will use the value as the certificate template name when the device sends an enrollment request with empty or 0xa0 value for the KeyUsage extension. If it is not set, the service will use the IPSECIntermediate
Offline template.
CAType\CAType DWORD Based on setup 1 = Enterprise
0 = Stand-alone
CAInfo\Configuration String Based on setup If the CA is not installed on the same computer as the service, this registry key must be set with the CA information in the format of CAMachineName\CAName.
RefreshPeriod\RefreshPeriod Binary 7 The number of days that pending requests will be kept in the service cache.
Note This value is located under HKEY_LOCAL_ROOT\Software\Microsoft\Cryptography\MSCEP\Refresh.
CacheRequest\CacheRequest DWORD 20 The number of minutes that an issued certificate will be kept in the service cache.
CertsInMYStore\CertsInMyStore DWORD 1 1 = The service will look for its certificates in the computer “My” store.
0 = The service will look for its certificates in the computer “CEP” store.
Note If the key does not exist, the service will look for its certificates in the computer “CEP” store.
PasswordMax\PasswordMax DWORD 5 The maximum number of available passwords.
PasswordVDir\PasswordVDir String MSCEP_Admin This is the name of the virtual directory that can be used for password requests. If set, MSCEP will accept password requests only from the defined virtual directory. If the value is empty or not set, MSCEP will accept password requests retrieved from any virtual directory.
PasswordValidity\PasswordValidity DWORD 60 The number of minutes a password is valid.
PasswordLength\PasswordLength DWORD 8 The Unicode character length of a password.
HashAlgorithm\HashAlgorithm String SHA1 Specifies the hash algorithm the service will use when constructing the request to the CA.
DisableRenewalSubjectNameMatch\DisableRenewalSubjectNameMatch DWORD n/a When set to 0x1, disables subject and subject alternative names match during certificate renewal.
UseSinglePassword\UseSinglePassword DWORD 0x0 When set to 0x1, enables single-password mode.
EncryptedPassword\EncryptedPassword Binary n/a When in single-password mode, the NDES will store encrypted password in this registry key protection by DPAPI. Do not modify this registry value directly.


Enable logging
To enable logging, use the following procedure:
1. Log on as the service account designated for the NDES service. This creates the user profile folder structure required to save the Mscep.log file.
2. Log off the service account.
3. Log on as a member of the local Administrators group.
4. Open a command prompt.
5. At the command prompt, type certutil –setreg debug 0xffffffe3, and then press Enter.
6. At the command prompt, type iisreset /restart, and then press Enter.
7. Ensure that the output of the command indicates that the service successfully restarted.
Once you have enabled logging, you can attempt to perform the task that caused the failure you are investigating. When the error occurs, you can now investigate the output in the
C:\Users\NDESServiceAccount\mscep.log file.
Troubleshooting with the following error

Found that stopped NDES function correctly, one possible error is:
Active Directory Certificate Services denied request 12 because The request subject name is invalid or too long. 0x80094001 (-2146877439). The request was for ITENGINEER\enadu. Additional information: Error Constructing or Publishing Certificate The certificate validity period will be shorter than the CEPEncryption Certificate Template specifies, because the template validity period is longer than the maximum certificate validity period allowed by the CA. Consider renewing the CA certificate, reducing the template validity period, or increasing the registry validity period.

The offline Root CA (LocalCA) issued ONLINE subCa certificate was configured ‘Certificate Expiration Date’ 1/06/2012, which made the issuing certificate very hard, because the period has to be shorter than this, most of the templates by default is 2 years.
1. ‘Renew CA Certificate’ from issuing CA, on this case is win2k8-s2, this will generate a new public and private key pair.

After the Renew, the new CA certificate got the same validation period.
2. Change Offline CA Settings. to check validity period

certutil -getreg ca\validityperiodunits
certutil -setreg ca\validityperiodunits 4
3. Installed the renewed CA certificate at issuing CA
4. Delete ‘itengineer-SR1-CA' which is offline from the AD database, publish Offline CA and issuing CA certificates to AD.

By right click ‘Enterprise PKI ‘->’Manage AD containers’
5. Installed ‘Certification Authority Web Enrollment’ on the issuing CA
6. Installed NEDS, looks like it’s working, because Exchange Enrolment Agent (Offline Request) and CEP Encryption are issued to the NEDS server.

No comments:

Post a Comment