NDES with a standalone CA

Although generally considered insecure and lacking support for modern cryptography, the Simple Certificate Enrollment Protocol (SCEP) is still a widely used and supported protocol.

Microsoft's implementation of SCEP is the AD CS Network Device Enrollment Service (NDES), and one of the best deployment guides out there is Mark B. Cooper's "Securing and Hardening Network Device Enrollment Service for Microsoft Intune and System Center Configuration Manager" (from March 2015).

Within the NDES configuration recommendations checklist we can find the following:

"Dedicated Server Roles – The NDES service should be installed on a dedicated server. The Issuing CA should also be on its own dedicated server."

which makes a lot of sense but unfortunately is not always possible.

Depending on the use case for the end entity certificates issued via SCEP, in many cases it will make sense to issue them from a standalone CA, to avoid it being trusted in Active Directory. If certain lack of control regarding certificates issued via SCEP is understood as being a risk, and there is no reason for those certificates to be trusted across the domain, a standalone CA might be the safest choice.

The choice of a Standalone CA vs. an Enterprise CA comes with strings attached, such as e.g. certificate templates not being available, but a pretty much undocumented side effect is that such a choice also has an impact in the deployment architecture.

Once a standalone CA is deployed on a dedicated server we proceed to install the NDES service on another dedicated server, but when configuring it, as we specify a CA in a remote server within the "CA for NDES" configuration step...


0x8007139f (WIN32: 5023 ERROR_INVALID_STATE)

When using a Standalone CA to issue certificates via SCEP the NDES service must be installed in the same server where the CA is installed.


Comments

  1. Anonymous31 August 2023 at 00:10

    Do you have an AD Infrastructure?

    ReplyDelete
    Replies
    1. denetarik24 October 2023 at 14:48

      AD infrastructure is optional, a standalone CA can be installed on a server member of a domain or a workgroup (without AD).
      The concern highlighted as a reason to choose a standalone CA setup instead of an enterprise (AD integrated) CA is the fact that enterprise CAs are by default trusted across the domain, which is not always the desired outcome.
      The constraint regarding both NDES and CA roles having to be installed on the same server applies regardless of whether the server is a domain member or not.

      Delete
  2. Anonymous31 August 2023 at 10:32

    Hi Do we need a CA templates for the deployment?

    ReplyDelete
    Replies
    1. denetarik24 October 2023 at 14:58

      Standalone CAs don't support templates, that's an enterprise CA feature since templates are stored in AD.
      Templates are therefore not required, the certificate profiles for the NDES service (Registration Authority - RA) certificates are built into the role and will be generated as part of the role configuration without the need for any AD based certificate templates. The outcome is the same as using the "Exchange Enrollment Agent (Offline Request)" and "CEP Encryption" templates in an installation using an enterprise CA.
      The lack of templates does introduce certain level of complexity when it comes to renewing the RA certificates, though, since the requests have to be manually crafted.
      More importantly the lack of templates has an impact on the requests raised via SCEP, since those can't be mapped to a template and constrained accordingly.

      Delete

Post a Comment

Popular posts from this blog

Decoding OCSP GET requests

Many clients default to OCSP requests via HTTP GET, encoding the request details as part of the URL. These kind of requests can be found in the logs: http://ocsp.ekaitza.net/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ1uvBCJo3G3TPBvK%2BGVqszOaLAawQUb38ZjesMwNeYLEzdGvP%2FZi9TlkACE3cAEdYaIhMmuymSdxoAAAAR1ho%3D As per RFC 6960 , the request is constructed as: GET {url}/{url-encoding of base-64 encoding of the DER encoding of the OCSPRequest} So in order to find out the details of the request we have to: 1. Remove the URL encoding This can be done with different tools, depending on the OS/platform being used.Given the input above: MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ1uvBCJo3G3TPBvK%2BGVqszOaLAawQUb38ZjesMwNeYLEzdGvP%2FZi9TlkACE3cAEdYaIhMmuymSdxoAAAAR1ho%3D the output would be: MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ1uvBCJo3G3TPBvK+GVqszOaLAawQUb38ZjesMwNeYLEzdGvP/Zi9TlkACE3cAEdYaIhMmuymSdxoAAAAR1ho= We can then create a text file with it, e.g.:  $ echo "MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ1uvBCJo3G3TPBvK+GVqsz...
Read more

Signing a CSR with an Enrollment Agent certificate

Image
Often certificate templates in AD CS are configured to require a set of authorised signatures for issuance: This is useful e.g. when issuance approval is delegated to a component outside of AD CS roles, such as some CA management or registration authority portal software. Combined with the template security settings this can prevent requests from being raised directly from the CA without going through a custom standard request process, and depending on the level of security required, multiple signatures can be enforced and optionally also additional CA certificate manager approval. In order to produce each of this signatures an "Enrollment Agent" certificate is used, a certificate with the "Certificate Request Agent (1.3.6.1.4.1.311.20.2.1)"  Enhanced Key Usage. Sometimes it is required to raise requests directly towards the CA, e.g. using the RPC/DCOM interface from the command line, but it is not desirable and/or possible to change the template configuration, so t...
Read more

Compacting an AD CS database

Given the healthy trend towards decreasing certificate validity periods, it is very likely that the size of an AD CS Certification Authority database will grow following that same trend. Despite regular maintenance activities including deletion of records such as failed, denied etc. it could be that at some point the CA database reaches a problematic size. Deleting records from an AD CS CA database will internally free up the space previously occupied by those records but will not decrease the size of the database file itself. I.e. new records will reuse the freed up space but the total space used by the database file will not decrease. This helps keeping the database size under control but does not help if the size had already increased over acceptable limits; in this case the database must be compacted. The CA is often a critical resource, so it is recommended to keep various backups of different nature, to try to make sure we can recover it in case something goes wrong. Here a ...
Read more