I wanted to draw some attention to an NDES test tool that I have been using for a while. My thanks to the author (Hasain Alshakarti) of the toolbox and steps as it is one of the few ways that I am aware of to test NDES without access to actual hardware or an MDM solution. I am going to cover the steps to use the tool. I understand that the instructions on the authors website are pretty straight forward and pretty easy to follow. However, I think the screenshots may give you all an idea of what to expect when using the tool.
The tool and instructions for the tool are available here: http://secadmins.com/index.php/ndes-scep-windows-test-tool/.
Once you have downloaded an extract the tool and perform the following steps:
Step 1: Access the mscep_admin site on your web server as a Device Admin. In my example this is http://fcndes01.fourthcoffee.com/certsrv/mscep_admin. Note: My certsrv directory is not protected with TLS. As a best practice it should be protected with TLS.
Step 2: Copy the enrollment challenge password for later use. In my example the password is BA86D09D04DAC557
Step 3: Open a command prompt and navigate to the directory where the tools were extracted
Step 4: Run openssl.exe req -config scep.cnf -new -key priv.key -out test.csr, to generate the reques
Step 5: Enter the Common Name (subject) for the certificate and click Enter
Step 6: Paste or manually enter the enrollment challenge password, then click Enter. In my example it is: BA86D09D04DAC557
Step 7: To retrieve the CA certificate (which is part of the NDES enrollment process), run the following command: sscep.exe getca -u http://<your NDES server DNS Name or IP address here>/certsrv/mscep/ -c ca.crt
The output you receive will look something like this:
Step 8: Run the following command to enroll for the certificate: sscep.exe enroll -u http://<your NDES server DNS Name or IP address here>/certsrv/mscep/> -k priv.key -r test.csr -l test.crt -c ca.crt-0 -e ca.crt-1
Step 9: Verify the pkistatus is Success
You can also open test.crt to verify the result:
In addition you can view the request in the IIS logs of the NDES server:
Thanks to Hasain Alshakarti for putting the toolbox and process to test NDES enrollment.