Network device enrollment settings—Platforms and Server object
You can set rules for managing Simple Certificate Enrollment Protocol (SCEP) certificates for network device enrollment (NDE)-enabled devices. In the root Platforms and the Server object, these tabs provide the credentials to enroll the device, and settings to store the certificate in Trust Protection Platform.
You can also set policy rules for managing the certificates in a container or policy folder. For more information, see Using a policy to configure NDE.
Trust Protection Platform has the ability to emulate a Microsoft NDES server. This allows Trust Protection Platform to be compatible with all SCEP clients that have out-of-the-box compatibility with Microsoft NDES servers. Example URLs:
- SCEP certificate enrollment: https://[Trust Protection Platform Server]/certsrv/mscep
- SCEP one-time challenge passphrase: https://[Trust Protection Platform Server]/certsrv/mscep_admin
NOTE If you change the NDE settings in the Trust Protection Platform server object, the changes are not effective until the SCEP application pool is recycled. Either recycle the VEDScep application pool in IIS or issue the iisreset/restart command.
NOTE Previous versions of Trust Protection Platform contained the Enable AirWatch Workaround option. This option is no longer needed. Instead, when AirWatch is used, we recommended specifying both RA Signing Certificate Credential and RA Encryption Certificate Credential instead of only RA Certificate Credential.
Field |
Policy |
Description |
Settings tab |
||
General |
||
Description |
n/a |
Available for both Platforms and the Server object. The description for the NDE service for the Trust Protection Platform server object. |
Contact |
|
Available for both Platforms and the Server object. The user or group Identities assigned to the Network Device Enrollment Service (NDES). Administrators may reference this contact when configuring Notification Rules to provide notification for NDE events. The default contact is the master administrator. |
Certificate Origin |
|
The value to be used as the friendly name of the system requesting the certificates. It is used for reporting purposes only. The friendly name will automatically receive the SCEP prefix. For example, if you enter AirWatch, then the Certificate Origin will appear in Trust Protection Platform as SCEP-AirWatch. |
Compatibility |
||
Issue Certificate for Identical SCEP Requests |
n/a |
Enabling this option allows SCEP clients to re-enroll certificates with the same private key used in the initial enrollment. Usually, this is needed when Cisco devices are used, and private key regeneration is not set. If you use this, you must also enable the SCEP Reply Delay option. |
SCEP Reply Delay
|
n/a |
Available only for the Trust Protection Platform Server object. Enabling this option delays the response time until the certificate finishes the enrollment process and it helps ensure compatibility. Some SCEP implementations do not support the Pending status. |
Default CA |
|
|
---|---|---|
Default Challenge Password |
|
Available for both Platforms and Server objects. The default password credential is used by SCEP-enabled devices to authenticate with the Trust Protection Platform server. The value can also be used for CA-specific enrollments that do not include a challenge password. To include the value as part of the default SCEP URL, enable Match Challenge Password to folder. |
Default Certificate Container |
|
Available for both Platforms and the Server object. The default Policy folder to hold Certificate objects for SCEP certificates. This setting applies when both conditions are met:
For more information, see Using rules to manage SCEP Certificate objects. |
Default Certificate Authority |
|
Available for both Platforms and the Server object. The Certificate Authority (CA) Template object to process all enrollment requests submitted at the default URL. The CA Template object provides the information for SCEP to submit CSRs and retrieve certificates from the CA. For more information about CA Template objects, see Certificate Authority template overview. |
RA Certificate Credential |
This is the registration authority (RA) certificate. The RA certificate links the current RA certificate credential to certificates in the default certificate container. The RA certificate is submitted to SCEP-enabled devices in response to a GET CA and to the issuing CA when submitting an enrollment request.
This setting is configurable from either the Platforms or Server objects. |
|
RA Signing Certificate Credential |
|
Depending on whether you specified a single combined certificate or a separate Signing and Encryption certificate, select this credential, which should be linked to the RA signing certificate. specifies a single combined certificate or a separate Signing and Encryption certificate. This setting is configurable from either the Platforms or Server objects. |
RA Encryption Certificate Credential |
|
Select this credential, which should be linked to the RA encryption certificate. This setting is configurable from either the Platforms or Server objects. |
One-Time Challenge |
||
Authorized Users/Groups |
|
Available for both Platforms and the Server object. The Network Device Enrollment Service (NDES) identity user or groups. |
Maximum # of challenges |
Available for both Platforms and the Server object. The number of NDES password challenge attempts. |
|
Challenge validity time |
Available for both Platforms and the Server object. The number of minutes that each challenge is valid. |
|
Rules Tab
|
Available only for the Trust Protection Platform Server object. The rules are listed in order of precedence. |
|
Configured SCEP Rules |
|
Use to add SCEP rules. The default rule requires you to define a Folder DN as the container to hold certificates from the SCEP. |
Settings |
|
A set of checkboxes that represent rules. |
Match X.509 Subject to existing certificate object |
n/a |
The rule with the highest priority. Overrides all other settings. Applies to certificates enrolled both at the default SCEP URL and CA-specific URLs. Trust Protection Platform does one of the following:
TIP To block certificate renewal without the knowledge of the SCEP device, use the Certificate setting called Disable Automatic Renewal. For more information, see About certificate object settings. |
Limit certificate objects by CA ident |
n/a |
This is a sub-option that is available when Match X.509 Subject to existing certificate object is enabled. This sub-option restricts the search for the existing certificate object to the corresponding policy folder only, based on the CA ident included in the SCEP enrollment request. |
Accept container in challenge password |
n/a |
The rule to allow the SCEP-enabled device to include a folder DN with the challenge password (default_password:folder_DN) as part of the request to Trust Protection Platform:
For example, to create Certificate objects in the NonCorp policy, SCEP request includes: default_password:\Policy\NonCorp |
Allow X.509 Subject container rules |
n/a |
This rule overrides Challenge Password rules defined in the folder. Shows and enables X.509 Subject rules that are defined on this tab. The X.509 Subject rules:
After you allow this rule-type, you must define the rule criteria in the folder where you want Trust Protection Platform to create Certificate objects for SCEP certificates. For more information, see Using rules to manage SCEP Certificate objects. |
Match challenge password to container |
n/a |
The rule to enable the Challenge Password rules that are defined on this tab. Challenge Password rules match the challenge password set on a Policy object with the challenge password provided in a SCEP enrollment request submitted at Trust Protection Platform’s default SCEP URL (http(s)://VED_server_address/vedscep/). Challenge Password rules defined in folder apply only to certificates enrolled at the default URL: http(s)://VED_server_address/vedscep/. Trust Protection Platform ignores Challenge Password rules if a CSR is submitted at a CA-specific URL.
After you define your challenge passwords in the Policy tree, you then configure your SCEP devices to use the challenge password that corresponds to the Policy object where you want to create its corresponding Certificate object. |
Support additional CAs configured on policies |
n/a |
The rule to allow multiple CA templates for SCEP. The Trust Protection Platform server reads both the CA template settings and the default CA settings defined in server object. If this rule is disabled, multiple CA template settings are ignored. Trust Protection Platform uses only the Default CA configuration in the server object and SCEP enrollment requests can only be submitted at the default SCEP URL. |