Afaria – Test NDES certificate template

Easiest way to test SCEP with Afaria is to make use of the delivered ServerSCEPtest application. This application comes with Afaria`s PackageServer component. It can be found in the bin directory of the package server.

The test application is a Windows executable that executes the SCEP process through Afaria. You have two options available for the test:

  1. Provisioning Server
  2. Package Server

I am going to execute the SCEP/NDES test using the package server. This is the Afaria component used by all clients to receive a client certificate for apps.

To run the test, at least the common name value must be filled in. This is the CN= part of the certificate. Normally, this is your user id. Unfortunately, the test tool is limited to 2048 bit key (Afaria SP8) and does not select you higher or custom values. To run the test, just select perform test button. The additional CSR informations like city, org, etc are taken from the package server configuration. These values are given by the Afaria admin.

The status of the SCEP process is shown in the log area. You can see that the CSR is created and send to the package server CA. After the test ran without errors, the returned certificate is saved to: C:\ProgramData\SAP\Afaria.

The see and validate the value of the new certificate, you can use the Crypto Shell Extensions of Windows Server.

The certificate was issued by the CA: CA. Lifetime is one year. And the template is AfariaUser. This matches exactly how the NDES template was configured.

To be 100% sure, the CA can be consulted. Normally, all issued certificates are stored there and can be consulted. Taking a look into the issued certificate list, I can see that a new certificate by the NDES user was issued using as a template AfariaUser. Therefore, the new NDES configuration is validated and working.

Afaria – Define certificate template for SCEP on Windows CA

When you work with Afaria, you`ll sooner (iOS) or later (Android, WP) come in contact with certificates. To be more specific, with device (iOS) and user (all platforms) certificates. To make it as easy as possible to get those certificates available to the devices and users, an MDM solution makes use of SCEP. SCPE in the Microsoft world is called NDES, and is available with their CA. If you install everything following the official documentation, you`ll end up having

  1. A working environment (yeah)
  2. Most probably a certificate issue, as your users and devices get a certificate named IPSec (Offline request).

This default certificate is what Microsoft thinks fulfills most use cases of SCEP (sorry, NDES) and basically they are right. A device or user can use this certificate without problems for most of the scenarios. Most importantly, users can use it to authenticate themselves against services. It may be that

  • your security area does not like the name
  • the lifetime does not meet the requirement: its 2 years as given by Microsoft
  • it is missing some functionality
  • wrong algorithm or key length
  • or something else

All of the above points are valid and can invalidate the use of the default configuration. Which leaves you to the question: how to solve this?

To make Afaria get back from the CA a valid certificate based on a custom template, it only takes two steps:

  1. Create a template
  2. Assign template to NDES (SCEP)

With SCEP, Afaria is only consuming a service offered by CA. How the CA is treating the request, depends 100% on the CA. Therefore, no additional configuration is needed on the consuming service: Afaria. As a result of this, three steps are necessary to make Afaria get back a custom certificate:

  1. Create a certificate template
  2. Assign template to NDES (SCEP)
  3. Test

Microsoft NDES – use custom certificate template

To change the default certificate template NDES is using, it is necessary to change some Windows registry values. Looks like there is no GUI tool from Microsoft for this available. The procedure for changing these values is given by Microsoft [1],[2]. To do so, open the registry editor and navigate to:

HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Cryptography -> MSCEP

Under this node, the registry values can be found. By default, the certificate template used by NDES is IPSECIntermediateOffline.

I`ll now use my AfariaUser certificate I created in an earlier blog (you can find it on my site). To change this and to make use of the new AfariaUser certificate, edit all three entries.

Afterwards, the registry key looks like this:

To make the new templates effective for new requests, restart IIS (or the CA too, or the whole computer).

References

[1] http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx#Appendix_2_Set_Registry_Keys_to_Default_Values

[2] https://technet.microsoft.com/de-de/library/ff955642(v=ws.10).aspx

Afaria Setup 10.8 – Install Afaria 7 – SCEP Plugin

The steps to install SAP Afaria 7 are:

  1. Download installation package and install license
  2. SAP Afaria Server
  3. SAP Afaria API Service and Administrator
  4. Afaria Admin
  5. Self Service Portal
  6. Enrollment Server
  7. Package Server
  8. SCEP Plugin-in module

This document is about step 8.

SCEP Plugin-in module

The last component to be installed is the SCEP plug-in. This module is responsible for requesting certificates on behalf of the user. It will make use of the CA and NDE functionality.

Select the version of the module to be installed. On a x64 architecture, the 64-bit version should be selected.

This starts the SCEP installation wizard.

Database

  • Type: Microsoft SQL Server

  • Server: localhost

  • Database: AfariaDb

Location

Start installation

This ends the installation of SAP Afaria 7.00. Now a fully functional SAP Afaria environment is installed and available on the same Windows Server 2008 R2. Be aware that it is a version of Afaria from 2012. Next step is to upgrade this version to the latest version available.