About Network Device Enrollment rules

 

For large numbers of SCEP-enrolled certificates, you create policy-based rules from the Platforms Server object Network Device Enrollment Rules tab.

Network Device Enrollment (NDE) rules are based on Certificate Signing Request (CSR) Subject criteria or the Challenge Password. If the CSR contains the VEDSCEP default SCEP URL that matches an NDE rule, Trust Protection Foundation creates the Certificate object under the corresponding Policy object.

Trust Protection Foundation also provides a rule that attempts to match CSR subject criteria to existing Certificate objects in the Policy tree before it creates a new Certificate object.

For example, the Match X.509 Subject to Existing Certificate object rule performs these actions: 

• Before attempting to create the Certificate object in response to the enrollment request, Trust Protection Foundation looks for a corresponding Certificate object in the Policy tree.

• Based on what it finds, Trust Protection Foundation does one of the following:

  • If the Certificate object exists anywhere in the Policy tree, Trust Protection Foundation uses that Certificate object in its current folder and disregards all other NDE rules.
  • If the certificate exists but the CA configured in the Certificate object does not match the CA configured for the SCEP enrollment request, Trust Protection Foundation enrolls the certificate with the CA configured in the Trust Protection Foundation server object.
  • If the Certificate object does not exist in the tree, Trust Protection Foundation creates the Certificate object.
• When the Match X.509 Subject to existing certificate object setting is enabled, you also have the option to limit certificate objects by CA ident, which restricts the search for the existing certificate object to the corresponding policy folder only, based on the CA ident included in the SCEP enrollment request.