The Network Device Enrollment Service allows software on routers and other network devices running without domain credentials to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP).

Note

SCEP was developed to support the secure, scalable issuance of certificates to network devices by using existing certification authorities (CAs). The protocol supports CA and registration authority public key distribution, certificate enrollment, certificate revocation, certificate queries, and certificate revocation queries.

The Network Device Enrollment Service performs the following functions:

  • Generates and provides one-time enrollment passwords to administrators.

  • Submits SCEP enrollment requests to the CA.

  • Retrieves enrolled certificates from the CA and forwards them to the network device.

Enrolling for a certificate with the Network Device Enrollment Service involves the software used to manage the network device, the registration authority, the computer hosting the Network Device Enrollment Service, and the CA.

You must be a registration authority for the CA and an administrator on the network device to complete this procedure. For more information, see Implement Role-Based Administration.

To request and enroll for a certificate by using the Network Device Enrollment Service
  1. Run the software used to manage the network device, and use this software to generate an RSA public/private key pair configured for one of the following:

    • Signing and signature verification

    • Encryption and decryption

    • Signing, signature verification, encryption, and decryption

  2. Use the device software to forward this key pair to the registration authority on the computer hosting the Network Device Enrollment Service.

  3. Open a Web browser, and go to http://localhost/certsrv/mscep_admin.

  4. If the password table is not full, the Network Device Enrollment Service will create a random password and embed it in an HTML page that is returned to the caller.

    Note

    Every time you connect to this URL, a different challenge password is displayed. Each challenge password is valid for 60 minutes and can only be used once.

  5. Use the device software, along with the password, to submit a certificate request through the Network Device Enrollment Service, which relays the request to the CA.

  6. If the enrollment request is successful, the requested certificate is returned to the device from the CA through the Network Device Enrollment Service.

By default, the Network Device Enrollment Service can only cache five passwords at a time. If the password cache is full when you submit a password request, you must do one of the following before resubmitting your request:

  • Wait until one of the passwords has expired before submitting a new request.

  • Stop and restart Internet Information Services (IIS) to delete all passwords stored in the cache.

  • Configure the service to cache more than five passwords at a time.