Breadcrumbs

Verifying Microsoft NDES

  1. Log on to the client machine that is not the part of domain.

  2. Download the Microsoft SCEP utility from http://secadmins.com/index.php/ndes-scepwindows-test-tool/. Extract the file downloaded.

  3. Open https://<NDES-serveraddress>/CertSrv/mscep_admin from any browser.

  4. Enter the credentials for NDESAdmin and click OK. You will see the MSCEP Admin page with the challenge password for device certificate enrollment.

  5. Open the command prompt and go to the directory where you extracted the MS SCEP utility.

  6. Run the following command to generate a certificate request providing a Common Name and the Challenge Password when prompted by openssl.

›_ Console

 
openssl.exe req -config scep.cnf -new -key priv.key -out output.csr
tmp8wt17mh8.jpg

Output Window

  1. Retrieve the CA and RA certificates from your SECP/NDES server using the command.

›_ Console

 
sscep.exe getca -u http://<NDES-serveraddress>/CertSrv/mscep/ -c ca.cr
tmpnmxnya0m.jpg

Output Window

If you are using Smartcard Authentication, the prompt will go on the PIN Pad device to insert Smartcard and enter the pin. Then press OK button on the PIN Pad.

  1. Enroll a new certificate and make sure to specify the correct RA (-c flag) & CA (-e flag) certificates using the command below.

›_ Console

 
sscep.exe enroll -u https://<NDES-serveraddress>/CertSrv/mscep/ -k 
priv.key -r output.csr -l output.crt -c ca.cr-0 -e ca.cr-1
tmpo_om3t6s.jpg

Output Window

Provide password as and when it is asking, if you are using Smartcard Authentication, the prompt will go on the PIN Pad device to insert Smartcard and enter the pin. Then press OK button on the PIN Pad.

  1. Open the output.crt file to verify that the certificate is signed by your CA.

This completes the integration of Microsoft NDES with Utimaco HSM.