Network device enrollment settings—Platforms and Server object

You can set rules for managing Simple Certificate Enrollment Protocol (SCEP) certificates for network device enrollment (NDE)-enabled devices. In the root Platforms and the Server object, these tabs provide the credentials to enroll the device, and settings to store the certificate in Trust Protection Platform.

You can also set policy rules for managing the certificates in a container or policy folder. For more information, see Using a policy to configure NDE.

Trust Protection Platform has the ability to emulate a Microsoft NDES server. This allows Trust Protection Platform to be compatible with all SCEP clients that have out-of-the-box compatibility with Microsoft NDES servers. Example URLs:

SCEP certificate enrollment: https://[Trust Protection Platform Server]/certsrv/mscep
SCEP one-time challenge passphrase: https://[Trust Protection Platform Server]/certsrv/mscep_admin

NOTE If you change the NDE settings in the Trust Protection Platform server object, the changes are not effective until the SCEP application pool is recycled. Either recycle the VEDScep application pool in IIS or issue the iisreset/restart command.

NOTE Previous versions of Trust Protection Platform contained the Enable AirWatch Workaround option. This option is no longer needed. Instead, when AirWatch is used, we recommended specifying both RA Signing Certificate Credential and RA Encryption Certificate Credential instead of only RA Certificate Credential.

One-Time Challenge
Field	Policy	Description
Settings tab
General
Description	n/a	Available for both Platforms and the Server object. The description for the NDE service for the Trust Protection Platform server object.
Contact		Available for both Platforms and the Server object. The user or group Identities assigned to the Network Device Enrollment Service (NDES). Administrators may reference this contact when configuring Notification Rules to provide notification for NDE events. The default contact is the master administrator.
Certificate Origin		The value to be used as the friendly name of the system requesting the certificates. It is used for reporting purposes only. The friendly name will automatically receive the SCEP prefix. For example, if you enter AirWatch, then the Certificate Origin will appear in Trust Protection Platform as SCEP-AirWatch.
Compatibility
Issue Certificate for Identical SCEP Requests	n/a	Enabling this option allows SCEP clients to re-enroll certificates with the same private key used in the initial enrollment. Usually, this is needed when Cisco devices are used, and private key regeneration is not set. If you use this, you must also enable the SCEP Reply Delay option.
SCEP Reply Delay	n/a	Available only for the Trust Protection Platform Server object. Enabling this option delays the response time until the certificate finishes the enrollment process and it helps ensure compatibility. Some SCEP implementations do not support the Pending status.
Default CA
Default Challenge Password		Available for both Platforms and Server objects. The default password credential is used by SCEP-enabled devices to authenticate with the Trust Protection Platform server. The value can also be used for CA-specific enrollments that do not include a challenge password. To include the value as part of the default SCEP URL, enable Match Challenge Password to folder.
Default Certificate Container		Available for both Platforms and the Server object. The default Policy folder to hold Certificate objects for SCEP certificates. This setting applies when both conditions are met: There are no overriding NDE rules enabled in the Policy tree. The SCEP-enabled device fails to submit the folder Distinguished Name (DN) with the challenge password. For more information, see Using rules to manage SCEP Certificate objects.
Default Certificate Authority		Available for both Platforms and the Server object. The Certificate Authority (CA) Template object to process all enrollment requests submitted at the default URL. The CA Template object provides the information for SCEP to submit CSRs and retrieve certificates from the CA. For more information about CA Template objects, see Certificate Authority template overview.
RA Certificate Credential		This is the registration authority (RA) certificate. The RA certificate links the current RA certificate credential to certificates in the default certificate container. The RA certificate is submitted to SCEP-enabled devices in response to a GET CA and to the issuing CA when submitting an enrollment request. You must have view, read, and Private Key read permissions to the certificate object to select it in the Certificate Selector dialog. Trust Protection Platform must have a copy of the RA certificate private key. This setting is configurable from either the Platforms or Server objects.
RA Signing Certificate Credential		Depending on whether you specified a single combined certificate or a separate Signing and Encryption certificate, select this credential, which should be linked to the RA signing certificate. specifies a single combined certificate or a separate Signing and Encryption certificate. This setting is configurable from either the Platforms or Server objects.
RA Encryption Certificate Credential		Select this credential, which should be linked to the RA encryption certificate. This setting is configurable from either the Platforms or Server objects.
Authorized Users/Groups		Available for both Platforms and the Server object. The Network Device Enrollment Service (NDES) identity user or groups.
Maximum # of challenges		Available for both Platforms and the Server object. The number of NDES password challenge attempts.
Challenge validity time		Available for both Platforms and the Server object. The number of minutes that each challenge is valid.
Rules Tab		Available only for the Trust Protection Platform Server object. The rules are listed in order of precedence.
Configured SCEP Rules		Use to add SCEP rules. The default rule requires you to define a Folder DN as the container to hold certificates from the SCEP.
Settings		A set of checkboxes that represent rules.
Match X.509 Subject to existing certificate object	n/a	The rule with the highest priority. Overrides all other settings. Applies to certificates enrolled both at the default SCEP URL and CA-specific URLs. Trust Protection Platform does one of the following: If the Certificate object exists anywhere in the Policy tree, Trust Protection Platform uses that Certificate object in its current folder and disregards all other NDE rules. If there is no match for the certificate CA, Trust Protection Platform enrolls the certificate based on the CA settings in the server object. If the existing certificate CA fails to match the CA value from the SCEP enrollment request, Trust Protection Platform enrolls the certificate with the CA specified in the SCEP enrollment request. If the Certificate object is missing from the Policy tree, Trust Protection Platform creates the Certificate object in the Policy tree. TIP To block certificate renewal without the knowledge of the SCEP device, use the Certificate setting called Disable Automatic Renewal. For more information, see About certificate object settings.
Limit certificate objects by CA ident	n/a	This is a sub-option that is available when Match X.509 Subject to existing certificate object is enabled. This sub-option restricts the search for the existing certificate object to the corresponding policy folder only, based on the CA ident included in the SCEP enrollment request.
Accept container in challenge password	n/a	The rule to allow the SCEP-enabled device to include a folder DN with the challenge password (default_password:folder_DN) as part of the request to Trust Protection Platform: Overrides the default certificate folder in the Policy object, CA-specific folders defined in folder, and all NDE folder rules defined in folder. Can only contain the default password. If the SCEP-enabled device submits a folder_DN with a CA-specific challenge password instead of the default password, Trust Protection Platform ignores the folder_DN. For example, to create Certificate objects in the NonCorp policy, SCEP request includes: default_password:\Policy\NonCorp
Allow X.509 Subject container rules	n/a	This rule overrides Challenge Password rules defined in the folder. Shows and enables X.509 Subject rules that are defined on this tab. The X.509 Subject rules: Match certificates to specific policy folders based on CSR-related criteria such as Common Name, Organization, Organizational Unit, or City. Apply only to certificates enrolled at the default URL: http(s)://VED_server_address/vedscep/. Ignore when a CSR is submitted at a CA-specific URL. After you allow this rule-type, you must define the rule criteria in the folder where you want Trust Protection Platform to create Certificate objects for SCEP certificates. For more information, see Using rules to manage SCEP Certificate objects.
Match challenge password to container	n/a	The rule to enable the Challenge Password rules that are defined on this tab. Challenge Password rules match the challenge password set on a Policy object with the challenge password provided in a SCEP enrollment request submitted at Trust Protection Platform’s default SCEP URL (http(s)://VED_server_address/vedscep/). Challenge Password rules defined in folder apply only to certificates enrolled at the default URL: http(s)://VED_server_address/vedscep/. Trust Protection Platform ignores Challenge Password rules if a CSR is submitted at a CA-specific URL. After you allow this rule-type, you must define unique challenge passwords in the folder where you want Trust Protection Platform to create Certificate objects for SCEP certificates. After you define your challenge passwords in the Policy tree, you then configure your SCEP devices to use the challenge password that corresponds to the Policy object where you want to create its corresponding Certificate object.
Support additional CAs configured on policies	n/a	The rule to allow multiple CA templates for SCEP. The Trust Protection Platform server reads both the CA template settings and the default CA settings defined in server object. If this rule is disabled, multiple CA template settings are ignored. Trust Protection Platform uses only the Default CA configuration in the server object and SCEP enrollment requests can only be submitted at the default SCEP URL.