Configuring network device enrollment

Both the Platforms tree and Server object contain Network Device Enrollment tabs where you can set default parameters to manage Simple Certificate Enrollment Protocol (SCEP) certificates.

To configure NDE from the Trust Protection Platform server object

1. From the Platform menu bar, click Policy Tree.

2. From the Tree drop-down menu, click the Platforms tree, and then click the Trust Protection Platform server object.
3. Click the Network Device Enrollment tab.

4. Refer to the following table while completing the configuration:

   Field	Policy	Description
   Settings tab
   General
   Description	n/a	Available for both Platforms and the Server object. The description for the NDE service for the Trust Protection Platform server object.
   Contact		Available for both Platforms and the Server object. The user or group Identities assigned to the Network Device Enrollment Service (NDES). Administrators may reference this contact when configuring Notification Rules to provide notification for NDE events. The default contact is the master administrator.
   Certificate Origin		The value to be used as the friendly name of the system requesting the certificates. It is used for reporting purposes only. The friendly name will automatically receive the SCEP prefix. For example, if you enter AirWatch, then the Certificate Origin will appear in Trust Protection Platform as SCEP-AirWatch.
   Compatibility
   Issue Certificate for Identical SCEP Requests	n/a	Enabling this option allows SCEP clients to re-enroll certificates with the same private key used in the initial enrollment. Usually, this is needed when Cisco devices are used, and private key regeneration is not set. If you use this, you must also enable the SCEP Reply Delay option.
   SCEP Reply Delay	n/a	Available only for the Trust Protection Platform Server object. Enabling this option delays the response time until the certificate finishes the enrollment process and it helps ensure compatibility. Some SCEP implementations do not support the Pending status.
   Default CA
   Default Challenge Password		Available for both Platforms and Server objects. The default password credential is used by SCEP-enabled devices to authenticate with the Trust Protection Platform server. The value can also be used for CA-specific enrollments that do not include a challenge password. To include the value as part of the default SCEP URL, enable Match Challenge Password to folder.
   Default Certificate Container		Available for both Platforms and the Server object. The default Policy folder to hold Certificate objects for SCEP certificates. This setting applies when both conditions are met: There are no overriding NDE rules enabled in the Policy tree. The SCEP-enabled device fails to submit the folder Distinguished Name (DN) with the challenge password. For more information, see Using rules to manage SCEP Certificate objects.
   Default Certificate Authority		Available for both Platforms and the Server object. The Certificate Authority (CA) Template object to process all enrollment requests submitted at the default URL. The CA Template object provides the information for SCEP to submit CSRs and retrieve certificates from the CA. For more information about CA Template objects, see Certificate Authority template overview.
   RA Certificate Credential		This is the registration authority (RA) certificate. The RA certificate links the current RA certificate credential to certificates in the default certificate container. The RA certificate is submitted to SCEP-enabled devices in response to a GET CA and to the issuing CA when submitting an enrollment request. You must have view, read, and Private Key read permissions to the certificate object to select it in the Certificate Selector dialog. Trust Protection Platform must have a copy of the RA certificate private key. This setting is configurable from either the Platforms or Server objects.
   RA Signing Certificate Credential		Depending on whether you specified a single combined certificate or a separate Signing and Encryption certificate, select this credential, which should be linked to the RA signing certificate. specifies a single combined certificate or a separate Signing and Encryption certificate. This setting is configurable from either the Platforms or Server objects.
   RA Encryption Certificate Credential		Select this credential, which should be linked to the RA encryption certificate. This setting is configurable from either the Platforms or Server objects.
   One-Time Challenge
   Authorized Users/Groups		Available for both Platforms and the Server object. The Network Device Enrollment Service (NDES) identity user or groups.
   Maximum # of challenges		Available for both Platforms and the Server object. The number of NDES password challenge attempts.
   Challenge validity time		Available for both Platforms and the Server object. The number of minutes that each challenge is valid.
   Rules Tab		Available only for the Trust Protection Platform Server object. The rules are listed in order of precedence.
   Configured SCEP Rules		Use to add SCEP rules. The default rule requires you to define a Folder DN as the container to hold certificates from the SCEP.
   Settings		A set of checkboxes that represent rules.
   Match X.509 Subject to existing certificate object	n/a	The rule with the highest priority. Overrides all other settings. Applies to certificates enrolled both at the default SCEP URL and CA-specific URLs. Trust Protection Platform does one of the following: If the Certificate object exists anywhere in the Policy tree, Trust Protection Platform uses that Certificate object in its current folder and disregards all other NDE rules. If there is no match for the certificate CA, Trust Protection Platform enrolls the certificate based on the CA settings in the server object. If the existing certificate CA fails to match the CA value from the SCEP enrollment request, Trust Protection Platform enrolls the certificate with the CA specified in the SCEP enrollment request. If the Certificate object is missing from the Policy tree, Trust Protection Platform creates the Certificate object in the Policy tree. TIP  To block certificate renewal without the knowledge of the SCEP device, use the Certificate setting called Disable Automatic Renewal. For more information, see About certificate object settings.
   Limit certificate objects by CA ident	n/a	This is a sub-option that is available when Match X.509 Subject to existing certificate object is enabled. This sub-option restricts the search for the existing certificate object to the corresponding policy folder only, based on the CA ident included in the SCEP enrollment request.
   Accept container in challenge password	n/a	The rule to allow the SCEP-enabled device to include a folder DN with the challenge password (default_password:folder_DN) as part of the request to Trust Protection Platform: Overrides the default certificate folder in the Policy object, CA-specific folders defined in folder, and all NDE folder rules defined in folder. Can only contain the default password. If the SCEP-enabled device submits a folder_DN with a CA-specific challenge password instead of the default password, Trust Protection Platform ignores the folder_DN. For example, to create Certificate objects in the NonCorp policy, SCEP request includes: default_password:\Policy\NonCorp
   Allow X.509 Subject container rules	n/a	This rule overrides Challenge Password rules defined in the folder. Shows and enables X.509 Subject rules that are defined on this tab. The X.509 Subject rules: Match certificates to specific policy folders based on CSR-related criteria such as Common Name, Organization, Organizational Unit, or City. Apply only to certificates enrolled at the default URL: http(s)://VED_server_address/vedscep/. Ignore when a CSR is submitted at a CA-specific URL. After you allow this rule-type, you must define the rule criteria in the folder where you want Trust Protection Platform to create Certificate objects for SCEP certificates. For more information, see Using rules to manage SCEP Certificate objects.
   Match challenge password to container	n/a	The rule to enable the Challenge Password rules that are defined on this tab. Challenge Password rules match the challenge password set on a Policy object with the challenge password provided in a SCEP enrollment request submitted at Trust Protection Platform’s default SCEP URL (http(s)://VED_server_address/vedscep/). Challenge Password rules defined in folder apply only to certificates enrolled at the default URL: http(s)://VED_server_address/vedscep/. Trust Protection Platform ignores Challenge Password rules if a CSR is submitted at a CA-specific URL. After you allow this rule-type, you must define unique challenge passwords in the folder where you want Trust Protection Platform to create Certificate objects for SCEP certificates. After you define your challenge passwords in the Policy tree, you then configure your SCEP devices to use the challenge password that corresponds to the Policy object where you want to create its corresponding Certificate object.
   Support additional CAs configured on policies	n/a	The rule to allow multiple CA templates for SCEP. The Trust Protection Platform server reads both the CA template settings and the default CA settings defined in server object. If this rule is disabled, multiple CA template settings are ignored. Trust Protection Platform uses only the Default CA configuration in the server object and SCEP enrollment requests can only be submitted at the default SCEP URL.

5. Configure the NDE settings on the Server object, and then click Save. For more information, see Network device enrollment settings—Platforms and Server object.

   CAUTION  If you change the NDE settings in the Trust Protection Platform Server object, the changes take effect after the VEDScep application pool is recycled. Either recycle the VEDScep application pool in IIS or issue the iisreset/restart command.

6. To create rules for enrollment and certificate object storage, see Using rules to manage SCEP Certificate objects.

After you define the default CA parameters, SCEP-enabled devices can connect with the Trust Protection Platform server at the default SCEP URL: http(s)://VED_server_address/vedscep/.