How to: Setup SCEP to work with Network Device Enrollment

Applies To:

Venafi Trust Protection Platform 18.2 and prior versions


Venafi Trust Protection Platforms (TPP) has the ability to work as a SCEP server. This feature is referred to as Network Device Enrollment (NDE). This article describes the steps to setup and configure TPP.

First, Configure TPP for SCEP:

Configure NDE on TPP side in WebAdmin:

1. Create Password object to use for SCEP requests
2. Go to Platform Tree to configure NDE settings
3. Select Engine or root of Platform tree and go to "Network Device Enrollemnt" > Settings
4. Configure settings:

 Enable "SCEP Reply Delay"
 Default Challenge Password = Password for requests to use
 Default Certificate Container = Where to create cert objects
 Default Certificate Authority = What CA Template to use
 RA Certificate = Certificate used for Registration Authority (cert that was issued by CA we are going to use)

5. Save settings and restart IIS

Then, Validate it's working:

There are two tools for validating SCEP.  The recommended tool is VisualScep, found here along with a PDF showing you how to use it.:

Visual SCEP Tool




What to look at when things aren't working?

  1. Check the Engine object logs in Platform tree for "Network Device Enrollment" errors or Default SQL Channel logs
  2. Check to see if the Certificate object got created
     - Did creating and retrieving the cert take too long?
     - Was there an issue during cert enroliment?
     - Are you able to create a cert in the console in that folder with that CA without SCEP?
  3. Check that the RA Cert is correct
  4. Check that CA Template has root/intermediate certs configured
  5. Double check that challenge password in CSR is correct:

    openssl req -in test.csr -noout -text

  6. Check that the vedscep URL (http://venafiserver.local/vedscep/) works with a browser. It should return "Bad Request...."
  7. If you keep getting Forbidden and/or 403 errors, check that your service account has been added to the IIS_IUSERS group.
  8. Check that Code Sign Protect client is not installed on TPP server, if it should not be, remove it.
  9. If you are seeing this error in the default SQL channel "Network Device Enrollment - HTTP Authentication Failure  PKIOperation request failed HTTP authentication. Request received from x.x.x.x" This means that you have restricted authorized users and your SCEP client is not passing/incorrectly passing authentication for this user/group, test by removing and users and restarting IIS.





The above image may be small, so it is also attached.



Was this article helpful?
2 out of 2 found this helpful