How to: Setup SCEP to work with Network Device Enrollment

Applies To:

Venafi Trust Protection Platform 18.2 and prior versions


Venafi Trust Protection Platforms (TPP) has the ability to work as a SCEP server. This feature is referred to as Network Device Enrollment (NDE). This article describes the steps to setup and configure TPP and SSCEP a command line SCEP client to work together.

More Info:

Configure NDE on TPP side in WebAdmin:

1. Create Password object to use for SCEP requests
2. Go to Platform Tree to configure NDE settings
3. Select Engine or root of Platform tree and go to "Network Device Enrollemnt" > Settings
4. Configure settings:

 Enable "SCEP Reply Delay"
 Default Challenge Password = Password for requests to use
 Default Certificate Container = Where to create cert objects
 Default Certificate Authority = What CA Template to use
 RA Certificate = Certificate used for Registration Authority (cert that was issued by CA we are going to use)

5. Save settings and restart IIS


Use SSCEP to test NDE

1. Unzip SSCEP (found here:
2. Generate a certificate request providing a Common Name and the Challenge Password when prompted by openssl:

openssl.exe req -config scep.cnf -new -key priv.key -out test.csr

3. Retrieve the CA and RA certificates from your SECP/NDES:

sscep.exe getca -u http://venafiserver.local/vedscep/ -c ca.crt

4. Enroll a new certificate and make sure to specify the correct RA (-c flag)

sscep.exe enroll -u http://venafiserver.local/vedscep/ -k priv.key -r test.csr -l test.crt -c ca.crt-0

5. If things work, certficate is stored in test.crt


What to look at when things aren't working?

1. Check the Engine object logs in Platform tree for "Network Device Enrollment" errors
2. Check to see if the Certificate object got created
 - Did creating and retrieving the cert take too long?
 - Was there an issue during cert enrolment?
3. Check that the RA Cert is correct
4. Check that CA Template has root/intermediate certs configured
5. Check SCEP server url and that it is http
6. Double check that challenge password in CSR is correct:

 openssl req -in test.csr -noout -text

7. Check that the vedscep URL (http://venafiserver.local/vedscep/) works with a browser. It should return "Bad Request"


Other scep related resources:

SSCEP source code -

NDES/SCEP Windows Test Tool -

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request