Applies to:
Venafi Encryption Director 6.1.x and later versions including TrustAuthority & TrustForce
Summary:
As mobile phones and tablets become more common in the workplace, businesses are looking for a way to manage these devices. For most platforms, a form of security certificate is required as part of their enrollment to the MDM solution. SCEP is the common protocol to issue these certificates, and Venafi Encryption Director makes it possible to issue these certificates.
Pre-configuration requirements
1. Create a CA Template object in the Policy tree
- The CA should be able to respond in a fairly rapid time to requests (no manual approval CA's)
- Not all CAs are supported. See the chapter on Network Device Enrollment in the Director Certificate Management Guide documentation for information on which CAs are supported. For this example, we will use a Microsoft CA.
- As SCEP Certificates are only used for signing and encryption, use the IPSec (Offline Request) Template type. See http://technet.microsoft.com/en-us/library/ff955642%28v=ws.10%29.aspx for further information on cloning and customizing this.
- RDP into the MS CA; open the Server Manager and navigate to the CA Role, to the CA object (default name: domain-SERVER-CA), to the Certificate Templates folder.
- Right-click and choose "New" > "Certificate Template to Issue" and select the "IPSec (Offline request)" template.
2. Create a Certificate Credential object for use as the RA certificate.
- Have available a certificate signed by the CA that will issue SCEP certificates.
- If you don't have a certificate to upload you can create a certificate object and enroll a new certificate to use as the RA certificate credential.
- In the Policy or Credentials tree, right-click and Add > Credentials > Certificate.
- Fill in the Name and choose to "Link existing certificate" to the certificate signed by the CA, or upload the certificate at this point.
3. Create a Policy object to contain certificates created via SCEP.
4. Create a Password Credentials object for use as the SCEP challenge password.
Configuring Network Device Enrollment
- Use RDP to log in to the server, open the Windows Administration Console, and navigate to the Platforms tree.
- Click on the Engine object (same as the hostname of the server).
- Click on the Network Device Enrollment tab.
- Choose the Password Credentials object as the "Default challenge password" credential.
- Choose the Policy object as the "Default certificate container" location for the SCEP requested certificates to be stored.
- Choose the CA Template object as the "Default CA".
- Choose the Certificate Credentials object configured as the "RA Certificate".
- Apply the settings to save them.
- Restart the IIS service by running "iisreset" at an Administrator Command prompt.
- To test the URL, navigate a browser to "http://localhost/vedscep" and you should see a response stating:
Bad request. Use "?operation={operation}&message={message}" or "{ca_ident}/?operation={operation}&message={message}" to make a request
To request a certificate using SCEP, have the device use the url: "http://address-of-server/vedscep" as the SCEP URL, and the SCEP challenge password as configured in step A-4. The server can handle various SCEP request settings, such as 1024- or 2048-bit certificates, depending on the requirements of the SCEP implementation.
More Information:
This is not intended as a best practices document for implementing SCEP in your environment. It is intended to provide basic instructions on how to configure Venafi Encryption Director to accept SCEP requests and issue SCEP certificates to devices. Standard security practices should be followed, such as when creating the RA certificate or challenge password. IIS configuration may be done by a different team, but you'll want to check that your service account has been added to the IIS_IUSERS group as well or you will see a lot of 403/forbidden errors.
Further information can be found in the Network Device Enrollment chapter of the Director Certificate Management Guide for the version of Venafi Encryption Director being used, such as here for version 8.0, on page 135.
Comments