Hasain Alshakarti

Deploying the Network Device Enrollment Service NDES component, part of the Active Directory Certificate Services ADCS, is a fairly easy task.

Once the installation is completed we need to test and verify the system is working properly but there are no tools available to perform such test. The only option for many administrators is to perform a real deployment using a device that supports SCEP and wait for the results.

After doing some research I found many tools that could perform SCEP operations but almost none of the tools was designated to perform a complete SCEP operation in Windows.

I managed to build a toolbox that works in Windows to test and verify NDES/SCEP deployment. The toolbox is a combination of Openssl and sscep from the The CertNanny Project.

  SCEP Toolbox download:(1.2 MiB, 17,412)

Once you downloaded the toolbox and extracted the files, you need to follow the steps below to verify your NDES/SCEP deployment

1. Get a new SCEP Challenge Password from your SCEP/NDES server

   Direct your browser to http://172.16.1.20/certsrv/mscep_admin/

2. Generate a certificate request providing a Common Name and the Challenge Password when prompted by openssl

   openssl.exe req -config scep.cnf -new -key priv.key -out test.csr

3. Retrieve the CA and RA certificates from your SECP/NDES

   sscep.exe getca -u http://172.16.1.20/certsrv/mscep/ -c ca.crt

   Note: The getca operation will download the RA and CA certificates and save each cert in a file prefixed with a number: ca.crt-0, ca.crt-1, ca.crt-2

4. Enroll a new certificate and make sure to specify the correct RA (-c flag) & CA (-e flag) certificates

   sscep.exe enroll -u http://172.16.1.20/certsrv/mscep/ -k priv.key -r test.csr -l test.crt -c ca.crt-0 -e ca.crt-1

   Note: The requested certificate is stored in the test.crt file

The certificate selection user interface in Windows supports filtering logic to provide a simplified user experience when an application presents multiple certificates. But some applications are not designed to use filtering logic (developers not aware of functionality…) or uses filters that does not provide efficient reduction of the number of certificates presented to the user making it almost impossible for a user to know witch certificate to choose unless opening the certificate and looking at the details of template name, EKU, etc.

This is particularly true when all certificates has been automatically enrolled using the same user DN/CN attribute based on the users Active Directory user object attributes. In addition to that, Autoenrollment does not support variations in certificate subject name unless using some third party policy module installed on the Active Directory Certificates Services.

Knowing that the certificate selection UI supports certificate friendly names. Setting the certificate friendly name to include information about the certificate template can simplify the users task to select the correct certificate.

Friendly names are properties in the X.509 certificate store in Windows that can be set at any time after the certificate has been created/installed in the store.

One way to set the friendly name is through the certificate MMC SnapIn. Alternatively certutil.exe can be used in the following way:

Create a text file containing the following information:

[Version]
Signature = “$Windows NT$”
[Properties]
11 = “{text}My Friendly Name”

Save the file as friendlyname.inf

Determine the serialnumber of the certificate where the friendly name should be changed.

Run the following command at a command-line:
certutil –repairstore –user my {SerialNumber} FriendlyName.inf

Automating the friendly name can be achieved by either automating/scripting the steps above alternatively by creating a tool that enumerates all certificates in the personal store and assign the friendly name.

A proof of concept CertFN.exe tool was created to automate the above. The tool receives a parameter for the template name to use when filtering the user store, it then sets the friendly name based on the schema “Template Name – Certificate Subject Name”

  CertFN - Certificate Friendly Name Tool download:(39.3 KiB, 4,325)

  CertFN - Certificate Friendly Name Tool - The Powershell Edition download:(1.1 KiB, 5,551)