Installing and Configuring Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services

The Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services runs on Windows Server 2003 family. It provides support for the SCEP protocol which allows Cisco routers and other intermediate network devices to obtain certificates.

This tool is not installed by the Windows Server 2003 Resource Kit Setup. To install it, use the following procedure:

Before you start

• You must install the SCEP Add-on for Certificate Services on a certification authority (CA). Both enterprise CAs and stand-alone CAs are supported. You can install the SCEP Add-on for Certificate Services on a root or subordinate CA.

• If you are using Cisco routers to enroll for certificates, they must be running Cisco IOS Release 12.2(6) or later.

• When using a standalone CA, the CA should be in a separate certification hierarchy from all other CAs in your organization. This helps prevent any unintended trust of SCEP clients.

• You must have proper administrative privileges to install the SCEP Add-on for Certificate Services. By default, you need to be a member of the Enterprise Administrators group and the root Domain Administrators group to install this add-on on an enterprise CA, or you need to be a member of the local computer's administrators group to install this add-on on a standalone CA.

• The SCEP Add-on for Certificate Services cannot be installed on a CA that has any non-alphanumeric characters (&,*, :, ;, ', ", etc.) in its name.

• The SCEP Add-on can either be configured to use the local system account or a user account to connect to the CA for certificate enrollment. When using a user account, the account must be a member of the IIS_WPG security group and have Read and Enroll permission for the IPSec (Offline request) certificate template. If the CA is an enterprise CA, the user account must be an Active Directory user account and must have additional configuration steps performed. For more information, see the documentation for the SCEP Add-on for Certificate Services is located in the Windows Server 2003 Resource Kit documentation.

• The CA that issues the SCEP certificate must publish its certificate revocation list (CRL) to an HTTP URL that the router can contact. The CRL location must be an HTTP location for the router to retrieve it and verify the revocation status of its certificate. In addition, the CRL location must be specified as a CRL Distribution Point (CDP) in the issued certificate for the router to locate it.

• When using a standalone CA with SCEP as a separate certification hierarchy, the root CA's certificate and chain should not be trusted by other clients in the enterprise. In this configuration, the SCEP-oriented PKI is only intended for trust by intermediate network devices that use SCEP.

To install SCEP Add-on for Certificate Services on a Windows Server 2003 family CA

1. Log on with the appropriate administrative privileges to the server on which the CA is installed.

2. Click Start, click Run, then type drive:cepsetup.exe where drive is the CD-ROM drive where the Windows Server 2003 Resource Kit CD is located or the disk drive where you have downloaded cepsetup.exe. This starts the SCEP Add-on for Certificate Services Setup wizard.

3. In the SCEP Add-on for Certificate Services Setup wizard:

   • Select whether SCEP will operate in the context of the local system account or a specific service account. If the service account option is selected, you must provide the account information for the account that SCEP will use to enroll for certificates.

   • Select whether or not you want to require a challenge phrase for router certificate enrollment. For guidelines on challenge phrases, see Notes.

   • Enter information about who is enrolling for the Registration Authority (RA) certificate, which will later allow certificates to be requested from the CA on behalf of the router.

   • (Optional) Select Advanced Enrollment Options if you want to specify the cryptographic service provider (CSP) and key lengths for the RA signature and encryption keys.

4. The URL http://URLHostName/certsrv/mscep/mscep.dll is displayed when the wizard finishes and confirms a successful installation. URLHostName is the name of the CA.

To enroll for certificates from a Cisco router

Extensive documentation for enrolling and installing a certificate on a Cisco router is available on the Cisco Systems Web site. Because the procedure may vary by equipment and IOS release, searching on your Cisco model name/number and the terms microsoft scep should locate the procedure for your router.

During the enrollment process, you will need to use Internet Explorer to connect to the CA to retrieve the CA's certificate fingerprint and retrieve a valid challenge password. This is done by connecting to the URL: http://URLHostName/certsrv/mscep/mscep.dll. URLHostName is the name of the CA.

The challenge password is an important component of certificate enrollment. There are several important facts to consider when using this password:

• Every time you connect to the SCEP URL, a different challenge password is displayed. Each challenge password is valid for 60 minutes and can be used once.

• The password displayed is both the challenge password for certificate enrollment and the password for certificate revocation. Record this password in case you need to revoke the certificate.

• If you connect to the URL above and do not see a challenge password displayed, then the SCEP Add-on was not configured to require a challenge password. In this case, you can make up a password of your own choosing. This password will be used for certificate revocation only.

Notes

• You should specify a challenge phrase when installing the SCEP Add-on. If you do not specify a challenge phrase, any user can enroll for an IPSec (Offline request) certificate.

• You should use Internet Explorer on a Windows Server 2003 family computer when performing procedural steps that require you to connect to the URL: http://URLHostName/certsrv/mscep/mscep.dll.

• If Internet Explorer is configured to use a proxy server, make sure that the Bypass proxy server for local addresses check box is selected in the Tools, Internet Options, Connections, LAN Settings dialog box in Internet Explorer.

• The SCEP Add-on relies on the Certification Authority Web pages to work correctly. If the Web pages are not installed or if Internet Information Services (IIS) is not configured correctly, SCEP will fail. For information about configuring Certification Authority Web pages, see To set up certification authority Web enrollment support Windows Server 2003 family help.

• To increase security of certificate requests on an enterprise CA, you should configure the permissions on the Security tab of the IPSec (Offline requests) certificate template to allow only router administrators and the CA used for enrollment access to the template. Both entities should have both Read and Enroll permissions to the template.

Additional references

• To issue or deny a pending certificate request on a stand-alone CA, see Review pending certificate requests in Windows Server 2003 family help.

• To revoke a certificate and publish a CRL, see Revoke an issued certificate and Manually publish the certificate revocation list in Windows Server family help.

• To identify issues during MSCEP installation, configuration, or operation, review entries in Event Viewer.

• If you are issuing certificates to routers from a CA, you may want to view all issued certificates with the unstructured Name, unstructured Address, and serialNumber columns. To add these columns to the MMC view, see Customize the display of columns in Certification Authority in Windows Server 2003 family help for general instructions to add columns to the Certification Authority snap-in display.

• Additional documentation for the SCEP Add-on for Certificate Services is located in the Windows Server 2003 Resource Kit documentation.