Take our FREE 30-Day Trial with no obligation required.

Experience for yourself why MaaS360 is a leader in MDM Solutions.

Divider

Fill out your information below to start.

Your email and personal information are confidential, and will not be sold or rented. See our Privacy Policy for more information.

Loading...
Loading...
Click here to hide

MaaS360 by Fiberlink

Mobile Device Management (MDM)

Ever-evolving technology brings opportunities, but only when managed properly. Read, share and learn how to keep users mobile without compromising the safety of their data. Our MaaS360 experts will post answers to your questions about inventory tracking, patch management, policy configuration and more.

Mobile Device Management (MDM)

Currently, there are:
13133 Views | 5 Replies

Share your thoughts with us,
and get involved!

  • KumarA
    20 posts
    Community Member

    Configure the default template on a Microsoft SCEP server

    20 May 2012 (Last edited: 13 June 2012)

    MaaS360 Cloud Extender has the ability to talk to a PKI Infrastructure to request for Identity Certificates for enrolled iOS devices. 

    The Certificate Sevice Integration involves creating a Certificate Template on the Microsoft SCEP server (the server that runs the NDES service) and setting the new Certicate Template as the default template.

    This article details the steps involved in setting up the default template on the SCEP server.

    This is done via the Windows Registry on the NDES server:

    1. Login to the SCEP server with Administrative credentials.

    2. Open the registry (Start -> Run -> Regedit.exe)

    3. Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP

     4. Change the values of the following registry keys to the name of the template:

    a. EncryptionTemplate

    b. GeneralPurposeTemplate

    c. SignatureTemplate

    PS: You will need to set these registry keys with the Template Name.

    There is a Template Display Name present as well which should not be used.

    The Template Name will be the name without any spaces.

     

    Restart IIS server. Steps below:

    1. Start a Command Prompt with Admin Privileges on the SCEP server ( Start -> Cmd -> Right Click -> Run As Admin)

    2. Type: iisreset

    Senior Customer Success Manager, MaaS360.

  • SChilkoti
    2 posts
    Community Member

    Re: Configure the default template on a Microsoft SCEP server

    15 January 2013

    I am having issue accessing the Signature and Encryption Template defined in registry Key, my program always reads the template defined in General Purpose Template registry key, even thou my Key Usage value is "Digital signature" i.e. 0x80.

    Any thoughts or any idea will be really appreciated.

    Just out of curiousity, Have you tried accessing the Signature and Encryption Template Registry key with different certificate templates ? as per your screen shot you have defined all the three templates with same value, is there any specific reason or just for blog you have kept the same value.

    as per NDES documentation(briefly following)

    "Service must receive PKCs#7 request containing the Key Usage extension of the enrollment request should be one of following"

    • Key Encipherment(0x20)
    • Digital Signature (0x80)
    • Both(0xa0)

    so, can I have more then 3 templates or registry key?

     

    Thanks in advance !

    ~Surendra

    Tags: ,
  • KumarA
    20 posts
    Community Member

    Re: Configure the default template on a Microsoft SCEP server

    15 January 2013

    Hi Surendra

    From MS documentation: the NDES service looks for the template to use when sending a certificate request to that CA. The template will be based on the KeyUsage extension.

    • 0x80: Uses the template name identified in the “SignatureTemplate” registry key
    • 0x20: Uses the template name identified in the “EncryptionTemplate” registry key.
    • 0xa0: Uses the template name identified in the “GeneralPurposeTemplate” registry key.

    Also, can you confirm the Purpose field on your template under the Request Handling section ? Found this on one of the Technet Blogs here:

    • SignatureTemplate: The private key can only be used for creating a digital signature. In the certificate template configuration, this is denoted by the Purpose, Signature, on the Request Handling tab. 
    • EncryptionTemplate: The private key can be used for encryption. In the certificate template configuration, this is denoted by the Purpose, Encryption, on the Request Handling tab. 
    • GeneralPurposeTemplate: The private key can be used for both encryption and for creating a digital signature. In the certificate template configuration, this is denoted by the Purpose, Signature and encryption, on the Request Handling tab.

    Does that help ?

     

    Regarding setting up different templates for each purpose, I think this is possible, but from our product integration perspective, we just need the one template for all usages.

    Senior Customer Success Manager, MaaS360.

  • SChilkoti
    2 posts
    Community Member

    Re: Configure the default template on a Microsoft SCEP server

    16 January 2013

    Its a good information and I have already scan all the web resources to find the answer and still looking for answer.Being SCEP only support 3 Registry Key, so it is limited to 3 certificate templates per server which I don't want, so SCEP might not be the right solution for me but I still need to resolve the problem I am facing, may be I am missing some server configuration (not sure as of today).

    Thanks for the quick reply and nice blog.

    ~Surendra

     

     

  • limlwl
    3 posts
    Community Member

    Re: Configure the default template on a Microsoft SCEP server

    24 January 2013

    Hello

     

    We are attempting to setup the VPN on demand in the Device profile.

    Just wondering if you have docos on getting the Cloud extender to talk to NDES ?  (And allowing options to be available in the Identity Certificate field under the IOS VPN device configuration profile) 

  • KumarA
    20 posts
    Community Member

    Re: Configure the default template on a Microsoft SCEP server

    24 January 2013

    Hi,

    Please see this post here.

    Senior Customer Success Manager, MaaS360.

  • 13133 Views | 5 Replies

    Get Involved!

    Sign in using one of your existing social accounts.

    ...or manually register for a new account here.

    @MaaS360 on Twitter more...

    • MaaS360 MaaS360 by IBM
      IT Departments are winning big with cost savings from BYOD bit.ly/1zHsLnj
    • MaaS360 MaaS360 by IBM
      TOMORROW: Live webcast - MaaSter Office 365 Management with MaaS360 bit.ly/1x76gIR Secure your spot now!
    • MaaS360 MaaS360 by IBM
      According to new research, IT departments of companies engaging in BYOD are seeing significant cost savings. bit.ly/1zHsLnj

    Most Active Users

    vhetrick
    2014_08_14
    jharrington
    KaylaBittne...
    Joe Pappano
    bcampbell
    Donna Lima
    jwittkopp
    manthony
    KumarA
    Giovanni
    Pragati Cha...
    TRUSTe European Safe Harbor certification TruSaaS
    © Fiberlink Communications Corp. All rights reserved. Privacy Policy
    All brands and their products, featured or referred to within this site, are trademarks or registered trademarks of their respective holders and should be noted as such.