Network Device Enrollment (NDE) allows certificates to be placed in pre-determined Policy containers. This article describes how to place certificates into Policy containers based on enrollment password.
- Navigate to the Platforms tree
- Click on the Engine object (the name of the director server)
- Click on the Rules tab
- Enable the option 'Accept Container in challenge password'
- Restart the IIS service
This will enable the NDE device to have a password and the desired container where to place the certificate. If you want to use this rule but don't want this certificate in the default location you can set the challenge password to ' password:\policy\secret location '. The location in the policy tree needs to be separated by the colon and then the notation of \policy\<name of policy to put the cert>.
Because of the broad interpretation of the SCEP protocol some devices may or may not strip out the '\' character, you may need to try a few times until you get the correct number of '\' in the path. We have seen some programs strip that character out so we had to add one to each '\'.
Note: The NDE rules are calculated for evaluation when the IIS service is started, therefore any changes made to the rules/configuration requires that the IIS service be restarted or the app pool must time out before these take effect. The app pool will time out in about 15 minutes if nobody is using the web service.
More information on configuring NDE can be found here.