1.Deploy Certificate Server 2012R2 #

Deploying a Windows Server 2012 R2 Certificate Authority

As more services and device connections inside and outside of your network rely on certificate services.

Popular features that require a certificate include secure HTTPS connections to your web applications, device authentication for both domain and non-domain joined clients, Server 2012 R2 Work Folders, Direct Access, and more.

Before I dive into the technical aspects of certificates, CA, and the various types of certificates, let me give you a high-level comparison between using an internal vs. public Certificate Authority.

Internal CA External CA
Easy to manage No control of Certificate Authority itself, you can only “buy” SSL certificates
Can be configured as Active Directory integrated No administration overhead
No cost per certificate SSL certificates can become expensive, depending on types and functionalities
Auto-enrollment feature makes configuration of clients/devices easier Not advised for configuring internal devices authentication
Not really useful for internet-facing applications, as not trusted by external parties Trusted by most browsers
Often more complex to install/configure than just buying a public SSL certificate Less flexible on SSL certificate properties


Install Active Directory Certificate Authority

From the Windows Server 2012 R2 Server Manager, click Add Roles and Features.

Select Active Directory Certificate Services.

Install Active Directory Certificate Authority

Click the Add Features in the popup window to allow installation of the Certification Authority Management Tools

Install Active Directory Certificate Authority add roles

Select the options you want to install. I recommend the following services:

– Certification Authority (this is your main CA)
– Certification Enrollment Policy Web Service
– Certificate Enrollment Web Service (web portal to request certificates)
– Certification Web Enrollment

Install Active Directory Certificate Authority

Once installed, Select AD CS in your Server Manager. Notice the button warning that no configuration is done yet. Click on More.

Install Active Directory Certificate Authority AD CS

This will bring you to the All Servers Task Details and Notifications. Click on Configure Active Directory Certificates Services in the Action column. This will launch the AD CS configuration wizard.

Use the following parameters when going through the different steps in the wizard:

















Role Services to configure          Certificate Authority + Certificate Authority Web Enrollment


Type of CA                          Enterprise CA (if Active Directory integrated; otherwise choose StandAlone CA


Type of CA                          Root CA (if 1<sup>st</sup> one) or Subordinate CA (additional CA in existing authority)


Type of Private Key                 in most cases, <b>create a new private key</b> will be the best option


Cryptographic options               RSA#Microsoft Software Key Storage Provider


2048 as Key Length


SHA1 as hash algorithm


(or any other combination for your situation)

Enter a descriptive name for your Certificate CA in the Common Name field. In my example, I named it 2012R2 domain CA. Click Next.

Update the validity period to 5 years (or whatever fits your need).

Accept the default database locations or modify according your own requirements.

This completes the configuration of the first two CA components. Let’s continue with the other two. In the Select Role Services to configure, choose Certificate Enrollment Web Service and Certificate Enrollment Web Policy Service.


Use the following parameters when going through the configuration wizard:











Specify CA                                 Select CA Name (using Select…)


Type of Authentication                     Windows Integrated


Service Account                            use the built-in application pool identity


Authentication type for CEP         Windows Integrated


Specify Authentication Certificate  <select an existing SSL certificate from the list)

AD CS configuration

This completes the configuration of all required Certificate Authority services.

AD CS configuration complete

Verify Certificate Authority Functionality

To verify that the CA server is operational, we can check both from within our browser as well as by checking the Certificate Authority management console.

Using the Browser: Certificate Authority Web Services

From any server in the domain, you can connect to http:<CA-Server>/certsrv. This will launch the Certificate Authority Web Enrollment portal.

Certificate Authority Web Enrollment portal

We will use this portal later on to complete a certificate request…

Using the Certificate Authority Management Tool

From the CA server, start the Certificate Authority Management tool. If all is well, this will show your CA server with a green icon, meaning the different CA services are up and running.

Certificate Authority Management Tool

Complete an Internal Certificate Request

In this last step, we will walk through the process on how to request an internal SSL certificate from an IIS web server in the domain, against our internal deployed CA.

From within IIS, select your server. Click on Server Certificates in the middle pane.

On the right, click on Create Certificate Request.

Enter the different fields in the request template. Most important field here is the common name, which should be set to the same name as the URL you want to use (eg. Workfolders.pdtit.be in my situation)

Internal Certificate Request

Complete the wizard with the default settings and save your request file as text file on your system.

In previous Windows Server versions it was sufficient to logon to your CA Web Enrollment portal again and copy/paste the details of the certificate request file. Alas, it won’t work in Windows Server 2012 R2. If you perform the same steps, you are faced with the following error message.


Logon to your CA server using your

Browser (http://<CAserver>/certsrv).

Select Request a Certificate.

Select Advanced Certificate Request.

Select Create and Submit a Request to This CA.

In the Certificate Template select Web Server.

Copy/paste the contents from your certificate request file (the “garbage text,” including the first and last line “— beginning of new request file —” and “— end of new request file —“).

Save your certificate output as a CER-file.

Copy this CER-file over to your web server.

From within IIS, select Complete Certificate Request.



In order to complete certificate enrollment, the Web site for the CA must be configured to use HTTPS authentication.


This happens if your web server is not configured to use secure socket layer (SSL) for the CA Web Enrollment pages.


To resolve this issue, you must install an appropriate certificate on the web server hosting the CA Web Enrollment pages. Then, you must configure the Site Bindings for the web site to add the https port 443 binding.

Implementing SSL on a Web site in the domain with an Enterprise CA

The following example will assume that you have an Enterprise CA from which to issue certificates. Further, the assumption is that you have a Certification Authority Web Enrollment pages installed, either on that CA or on another computer in the domain. This example will walk through the steps necessary to do the following:

  1. Configure an appropriate certificate template for SSL certificates.
  2. Obtain a certificate for IIS using the certificate template
  3. Configure the HTTPS on the Default Web Site
  4. Connect to the HTTPS location for certificate enrollment
  • If you have the CA Web Enrollment pages installed on a different computer, you will also need to trust that computer for delegation  Jump .
  • To create or duplicate existing certificate templates, users only need the Create Child permission for the CN= Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot and CN=OID, CN=Public Key Services,CN=Services,CN=Configuration,DC= ForestRoot containers.
  • You can review other permission settings at  Jump Implement Role-Based Administration  Jump


Configure an appropriate certificate template for SSL certificates

  1. Connect to the Enterprise CA with the appropriate credentials and open the Certification Authority console.
  2. Expand the certification authority so that you can see Certificate Templates.
  3. Right-click Certificate Templates and then click Manage. If you don’t see these options, then run the following command: certtmpl.msc to open the Certificate Templates console.
  4. In the details pane of the Certificate Templates console, right-click the Web Server template and then click Duplicate Template. If you are prompted to select a template version, select 2003 and then click OK.
  5. In the General tab, under Template display name, type a name that you want to use for the template. For example, SSL Certificates.
  6. On the Security tab you must ensure the computer account has the ability to enroll for the template. To do so, click Add.
    • In Select Users, Computers, Service Accounts, or Groups, type the name of the user or group that you want to use for enrollment. Click Check Names, and then click OK.
    • Ensure that the user account or group that you want to use for enrollment is selected and then select theAllow checkbox that corresponds to the Enroll permission.
    • Click Add.
    • Click Object Types, select Computers, and then click OK.
    • Enter the name of the computer hosting the CA Web Enrollment pages. Click Check Names, and then click OK.
    • Ensure that the computer account hosting the CA Web Enrollment pages is selected and then select the Allow checkbox that corresponds to Enroll permission. Click OK.
  7. On the Subject Name tab select Build from this Active Directory information. Set the Subject name format to Common name. Under Include this information in alternate subject name, select the DNS name checkbox and clear the User principal name (UPN) checkbox. (Observation: for the certificate to appear in the Certificate Web Enrollment, it will be necessary to click and choose Supply in the request, instead of Build from this Active Directory information)
  8. On Cryptography tab and ensure that the template is set to use a Minimum key size of 1024 bits or higher; 2048 bits or higher is preferred. Click OK.
  9. Close the Certificate Templates console and return to the Certificate Authority console.
  10. In the console tree of the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
  11. In the Enable Certificate Templates dialog box click the new certificate template that you just configured and then click OK.

Obtain a certificate for IIS using the certificate template

  1. On the IIS server hosting the CA Web Enrollment pages, open an MMC console. To do so, you can open a command prompt, the run dialog box, or Windows PowerShell, type mmc and then press ENTER.
  2. In the new MMC console (Console1) click File, and then click Add/Remove Snap-in.
  3. From the list of Available snap-ins, select Certificates and then click Add.
  4. Select Computer account and then click next.
  5. In Select Computer the Local computer is selected by default. Click Finish and then click OK.
  6. Expand Certificates (Local Computer) and then right-click Personal. Click All Tasks, and then click Request New Certificate.
  7. On the Certificate Enrollment wizard, click next.
  8. On the Select Certificate Enrollment Policy page, ensure that Active Directory Enrollment Policy is selected and then click next.
  9. On Certificate Enrollment, click Enroll. Click Finish.

Configure HTTPS on the Default Web Site

  1. On the IIS server hosting the CA Web Enrollment pages, open the Internet Information Services (IIS) Manager.
  2. Expand the server and Sites nodes until you can see Default Web Site.
  3. Click Default Web Site.
  4. On the Actions pane, click Bindings.
  5. In Site Bindings, click Add.
  6. In Add Site Binding, set Type to https.
  7. Set SSL certificate to the certificate that you issued to the server. You can confirm you have the correct certificate by clicking View. The certificate’s purpose should be Ensures the identity of a remote computer. To further verify, you can click the Details tab of the certificate. Select Enhanced Key Usage and ensure that it reads Server Authentication ( Click OK.
  8. On Add Site Binding, click OK. On Site Bindings, click Close.

Connect to the HTTPS location for certificate web enrollment

Instead of using the former http://servername/certsrv  Jump  location, you must connect to https://servername/certsrv  Jump  to request a certificate.

2.NDES MSCEP Auto enroll Certificate #


NDES, is the name for what we used to call MSCEP, which was an ‘add-on’ for the Server 2003 family of servers. In Server 2008 it was renamed to NDES. It is a role service that runs on a Certificate Services Server, and is used to create a registration authority (RA) that can issue certificates from your PKI infrastructure to network devices, i.e. Routers, Firewalls and Switches.

Installing Network Device Enrolment Service

I’m assuming you already have an Active Directory Certificate Services Server setup, if not you can deploy that and add in NDES at the same time.

1. Either: Launch Server Manager > Manage > Add Roles and Features > Below Active Directory Certificate Services select Network Device Enrolment Service.

Install NDES 2012

2. Powershell: From within PowerShell run the following command;

Install-WindowsFeature –Name ADCS-Device-Enrollment

Add NDES to Server 2012

Configuring Network Device Enrollment Service

1. Create a domain user (below I’ve called it SVC_NDES) > Add that user to the IIS_IUSRS group on the CA server. IIS_IUSRS does not exist therefore its called in a early version IIS_WPG.

Added with powershell : user : SVC_NDES password : password list.

  • Get-LocalGroup
  • Get-LocalGroupMember -Group “IIS_WPG”
  • add-LocalGroupMember -Group “IIS_WPG” -member “SVC_NDES”

Service Account for NDES.

On a domain controller there is no local user and groups , therefore it can be in the administrators of the domain.( it will get more rights then needed)

MSCEP user

2. From within Server Manager launch the post deployment configuration wizard.

Configure SCEP Windows

3. Next.

NDES Role Service

4. Select Network Device Enrolment Service, (if not already selected).

Cisco to Windows NDES

5. Change the account details, to the service account you created above.

Windows SCEP domain user

6. Enter the details that will be used to enrol the RA certificate.

RA certificate

7. Accept the defaults > Next.

NDES cryptography

8. Configure.

Enrol cisco router

9. Close.

NDES Wizard

10. Launch the Certificate Authority management console > Certificate Templates > Right Click > Manage.

IPSEC certificate template

11. Open the properties of the ‘IPSec (Offline request)’ certificate > Security Tab > Make sure the account you created (above) has the ‘Enroll’ permission.

enroll permissions ndes

NDES Disable Password Requirement.

I’ve read a few blogs and articles that say;

“There is no way for Cisco devices to supply the required password to enrol with NDES/MSCEP, so you need to disable the requirement for a password.”

This is NOT TRUE, however the whole point of issuing certificates via your PKI infrastructure, is that it can scale dramatically. If you are creating passwords and embedding those passwords in all your enrolments, it can get a little unwieldy. So it may be sensible to remove the password requirement.

1. Windows Key+R > regedit {Enter} > Navigate to;

HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography > MSCEP > EnforcePassword > EnforcePassword

To disable change the value to 0 (zero).

Disable NDES Password Enforce

Below you can see the difference, with the password requirement enforced, and without.

Get NDES password

2. Restart the Certificate Services Service;

net stop certsvc net start certsvc

Restart Certificate Services

NDES More Password Options and Renewing Certificates

If you do want the more secure option of using passwords, but don’t want to add a new password every time you have a new enrolment, you can specify that the password does not expire after the default 60 minutes, in fact it never expires. This is handy if you want to renew certificates without generating new passwords. To do that carry out the following procedure;

1. Windows Key+R > regedit {Enter} > Navigate to;

HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography > MSCEP > UseSinglePassword > UseSinglePassword

Set the value to 1 (one).

NDES use single password

2. Navigate to;

HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography > MSCEP

Create a new 32 bit DWORD value called ‘DisableRenewalSubjectNameMatch’ Set the value to 1 (one).

NDES renew certificate

3. If (as above), you are running NDES under a service account, ensure that account has full control of the MSCEP key. (Again don’t forget to restart the Certificate Server service.)

NDES renew certificate

IIS Query String Problem

You may find that with the default IIS settings you may encounter some problems. This is because (by default) IIS will only accept a Query String that’s less than 2048 characters long. If that happens you may see the following errors;

  • Request URL Too Long
  • HTTP Error 414. The request URL is too long.
  • HTTP Error 404.15 – Not Found
  • The request filtering module is configured to deny a request where the query string is too long.

In the IIS logs you will see errors like:

  • 2014-05-14 16:12:39 GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=GetCACert&message=hsca04 80 – Mozilla/4.0+(compatible;+MSIE+5.0;+Cisco+PKI) 200 0 0 218
  • 2014-05-14 16:12:39 GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=PKIOperation&message=<base64 encoded certificate request> 80 – – 404 15 0 15
  • 2014-05-14 16:19:21 GET /certsrv/mscep/ operation=GetCACert&message=any 80 – – 200 0 0 328
  • 2014-05-14 16:19:21 GET /certsrv/mscep/ operation=PKIOperation&message=<base64 encoded certificate request> 80 – – 404 15 0 703

To stop that happening open a command window (Run as Administrator), and execute the following command;Note: If this ‘wraps’ in your browser, it is one command!

%systemroot%\system32\inetsrv\appcmd.exe set config /section:system.webServer/security/requestFiltering /requestLimits.maxQueryString:”4096″ /commit:apphost

Then restart the web services: iisreset /noforce

IIS Query String is too long

Now you can get your network devices to enrol, in the next couple of days, I will post how to enrol from both a Cisco ASA, and a Cisco Router.

Note: If you devices are going to be checking your PKI’s CRL then you will need to set that up.

Cisco ASA – Enrolling for Certificates with NDES

To get your ASA 5500 firewall to enroll, and obtain a certificate from a Windows Server running NDES, this is the procedure you need to follow.


When dealing with certificates, it’s important that your firewall is maintaining the correct time. You can set this manually, but I’d recommend setting up NTP.

Cisco ASA – Configuring for NTP

1. Make sure the firewall can contact the NDES server, below I ping its IP address ( . Then set a hostname and domain name for the firewall. These are required to generate an RSA Key-pair on the firewall before we start.

  • Petes-ASA# ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms Petes-ASA# configure terminal Petes-ASA(config)# hostname Firewall Firewall(config)# domain-name testbench.local Firewall(config)# crypto key generate rsa modulus 2048 INFO: The name for the keys will be: <Default-RSA-Key> Keypair generation process begin. Please wait… Firewall(config)#

2. Create a set of CA settings (a trustpoint), then authenticate to it.

  • Firewall(config)# crypto ca trustpoint PNL-TRUSTPOINT Firewall(config-ca-trustpoint)# enrollment url Firewall(config-ca-trustpoint)# revocation-check crl Firewall(config-ca-trustpoint)# enrollment retry count 3 Firewall(config-ca-trustpoint)# enrollment retry period 5 Firewall(config-ca-trustpoint)# fqdn Firewall.testbench.local Firewall(config-ca-trustpoint)# crypto ca authenticate PNL-TRUSTPOINT

INFO: Certificate has the following attributes: Fingerprint: 0454b8f4 73374de8 2fb034cb b887b1d4 Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

3. If your NDES Server requires a password you can embed that.

NDES Server Removing or Enforcing Passwords

If you require a password you can obtain it from the NDES Server using the following URL.


This is the password you need to enter.

NDES Password

If it looks like (below), then password enforcement has been disabled, and you can skip the next step.

NDES Password disabled

Firewall(config)# crypto ca trustpoint PNL-TRUSTPOINT Firewall(config-ca-trustpoint)# password EC4C68382A504339

4. Enroll for a certificate.

Firewall(config)# crypto ca enroll PNL-TRUSTPOINT % % Start certificate enrollment ..


% Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: ******** Re-enter password: ********

% The fully-qualified domain name in the certificate will be: Firewall.testbench.local

% Include the device serial number in the subject name? [yes/no]: yes

% The serial number in the certificate will be: 123456789AB

Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority Firewall(config)# The certificate has been granted by CA!


5. If you have a look on the Certificate Server you will also see that the certificate has been issued.

NDES Password disabled

Remember: We set the device to check the Certificate Servers CRL, make sure that’s setup properly, and the device can resolve its name.

Windows Certificate Services – Setting up a CRL

WHY and Setup PKI.

One of the often overlooked tasks of a PKI deployment is setting your Certificate Services CRL. For smaller deployments, with only one server then you don’t have to worry about how this will be designed (though a CRL does not have to be hosted on a Certificate Services server). In my test environment I only have one PKI server so everything will be going on that one box, In more complex environments you may have multiple root and subordinate PKI servers writing to your CRL (you may even have multiple CRL’s).

Setup PKI.

I would consider this a ‘post’ certificate services install task, so I’m assuming you already have that installed and configured.

1. Launch the Certification Authority management console > Right click the server-name > Properties > Extensions tab.

PKI Properties

2. With CRL selected > Add > Type into the location http://crl.{your-domain-name}.{you-domain-extension}/crld

Note: You can use https:// but you may need to add a certificate in IIS manager and select ‘require TLS’ for the crld virtual directory.

2012 CRL Setup

3. In the variable section, select then ‘Insert’ the following onto the end of the URL:

  • <CaName>
  • <CRLNameSuffix>
  • <DeltaCRLAllowed>

Finally end the URL with .crl > OK.


4. With the CRL entry you have just created selected > Enable the following two options;

  • Include in CRL’s. Clients use this to find Delta CRL locations.
  • Include in the CDP extension of issues certificates.

Apply > OK > Yes.

Delta CRL

5. Change the ‘Select extension’ drop down to ‘CRL Distribution Point (CDP)’ > Add > Type in a UNC path as follows ‘{Server-name}crldist$ > Then select and inset the variables onto the end of the path, (like you did above);

  • <CaName>
  • <CRLNameSuffix>
  • <DeltaCRLAllowed>

And then (as above) add .crl onto the end of the path > OK.

CEL Distribution Point

6. With the CDP selected > Select the following options;

Publish CRL’s to this location

Publish Delta CRL’s to this location

Apply > OK > Yes.

Publish CRL Windows 2012

Windows DNS Requirements for CRL

7. So that your clients can resolve the name of the CRL you have just created, they need to be able to resolve the name you just created. On your DNS server open the DNS management console > Expand server-name > Forward Lookup Zones > {your-domain-name} > Right click > New Host (A or AAAA) > name crl > IP address = The IP address of the IIS server that will host the CRL > Add Host > Close DNS Manager.

DNS entry for CRL

Windows IIS Requirements for CRL

8. On the web server, open the Internet Information Services (IIS) Manager console > Expand and select your server-name > right click > Add Virtual Directory >Set the alias to CRLD.

Note: in IIS URL’s are not case sensitive.

CRL Virtual Directory in IIS

9. Under ‘Physical path’ select the browse button > Select the C: Drive, (or another drive if you wish) > Make New Folder > Call the folder CRLDist > OK > OK.

CRL Folder

10. Select server-name > Directory Browsing

Note: If you are serving other services from this web server, you might wish to only set directory browsing on the CRLD virtual directory.

IIS 2012 Directory Browsing

11. Enable.

Enable Web Directory Browsing in IIS8

12. Select the CRLD directory (Click refresh if you can’t see it) > Configuration Editor.

IIS Configuration Editor

13. Navigate to System.webServer > security > authentication > RequestFiltering.

Edit Virtual Directory

14. Change allowDoubleEscaping to ‘True’ > Apply.


Windows Folder Permission Requirements for CRL

15. Navigate to the folder you just created (i.e. C:CRLDist) > Right Click > Properties > Sharing > Advanced Sharing > Select ‘Share this folder’ > Add a dollar symbol to the end of its name i.e. CRLDist$.

Note: This simply creates a ‘hidden’ share that cannot be seen when browsing the server shares.

CRL Share

16. Permissions > Object Types > Add in Computers > OK > Enter the name of the server(s) that need to write to the CRL > OK.

CRL Share Permissions

17. Grant the Full Control permission to the sever(s) you just added > Apply > OK.

Server Permissions for CRL

18. Back at the Certificate Services server > Launch the Certification Authority management console > Revoked Certificates > Right click > All Tasks > Publish > New CRL > OK.

Publish a CRL IIS8

19. If you check the folder you created earlier, you will see it now contains the CRL files.

CRL Files

Http error 500.0 – internal server error” error message when generating NDES enrollment challenge password on a NDES server that is running Windows Server 2012

Content provided by Microsoft

Applies to: Windows Server 2012 DatacenterWindows Server 2012 DatacenterWindows Server 2012 EssentialsWindows Server 2012 FoundationWindows Server 2012 FoundationWindows Server 2012 StandardWindows Server 2012 Standard More

Select Product Version


Assume that you install the Network Device Enrollment Service (NDES) role service on a server that is running Windows Server 2012. In this scenario, you receive the following error when trying to get the NDES enrollment challenge password:

Http error 500.0 – internal server error.
the page cannot be displayed because an internal server error has occurred.

Additionally, an event that resembles the following is logged on the server on which the NDES role service is installed:

Log Name: Application
Source: Microsoft-Windows-NetworkDeviceEnrollmentService
Date: date time
Event ID: 2
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: computer name
The Network Device Enrollment Service cannot be started (0x800700ea). More data is available.


A workaround for this issue is to change the order of the handlers for the Microsoft Simple Certificate Enrollment Protocol (MSCEP) applications in IIS so that the ExtensionlessUrlHandler-ISAPI-4.0_64bit handler comes after the StaticFile handler. To do so, you can follow the steps below:

1) Install and configure NDES (and CEP/CES).
2) Open IIS.
3) Select “Default Web Site”.
4) Click “View Applications” in the action panel on the right.
5) Double click the mscep application.
6) Double click “Handler Mappings”.
7) Click “View Ordered List…” in the action panel.
8) Select ExtensionlessUrlHandler-ISAPI-4.0_64bit and move it down so it is below StaticFile.
9) Repeat steps 6-8 for the mscep_admin application.
10) Restart IIS.

Help Guide Powered by Documentor
Suggest Edit