Deploying the Network Device Enrollment Service NDES component, part of the Active Directory Certificate Services ADCS, is a fairly easy task.
Once the installation is completed we need to test and verify the system is working properly but there are no tools available to perform such test. The only option for many administrators is to perform a real deployment using a device that supports SCEP and wait for the results.
After doing some research I found many tools that could perform SCEP operations but almost none of the tools was designated to perform a complete SCEP operation in Windows.
I managed to build a toolbox that works in Windows to test and verify NDES/SCEP deployment. The toolbox is a combination of Openssl and sscep from the The CertNanny Project.
SCEP Toolbox download:(1.2 MiB, 1,000)
Once you downloaded the toolbox and extracted the files, you need to follow the steps below to verify your NDES/SCEP deployment
- Get a new SCEP Challenge Password from your SCEP/NDES server
Direct your browser to http://172.16.1.20/certsrv/mscep_admin/
- Generate a certificate request providing a Common Name and the Challenge Password when prompted by openssl openssl.exe req -config scep.cnf -new -key priv.key -out test.csr
- Retrieve the CA and RA certificates from your SECP/NDES
sscep.exe getca -u http://172.16.1.20/certsrv/mscep/ -c ca.crt
Note: The getca operation will download the RA and CA certificates and save each cert in a file prefixed with a number: ca.crt-0, ca.crt-1, ca.crt-2
- Enroll a new certificate and make sure to specify the correct RA (-c flag) & CA (-e flag) certificates
sscep.exe enroll -u http://172.16.1.20/certsrv/mscep/ -k priv.key -r test.csr -l test.crt -c ca.crt-0 -e ca.crt-1
Note: The requested certificate is stored in the test.crt file