HP Device Manager 4.6 - SCEP Tutorial with NDES
Overview
Simple Certificate Enrollment Protocol (SCEP) is the most popular and most tested certificate enrollment protocol that is
widely available. The Network Device Enrollment Service (NDES) is a SCEP server provided by Microsoft. This document
introduces how to setup a NDES environment and enroll certificates with HPDM.
This feature is available on HP ThinPro 4 and higher with an SCEP add-on installed only.
For more information about NDES, go to
http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-
enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx.
NDES setup
Operating system
• Windows Server 2012
• Windows Server 2008 R2
• Windows Server 2008 Service Pack 2
• Windows Server 2008 with the KB959193 hotfix installed (http://support.microsoft.com/kb/959193)
Setup
If you have a valid CA, go to http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-
service-ndes-in-active-directory-certificate-services-ad-cs.aspx#Setup to set up the NDES.
To set up a brand-new NDES environment:
1. Set up a Windows Server system.
2. Open Server Manager.
3. Add the Active Directory Domain Services role.
A. Run the Active Directory Domain Services Installation Wizard (dcpromo.exe) to finish the setup.
4. Create an account for SCEPSvc.
A. Add the SCEPSvc account to the Administrators group.
B. Add the SCEPSvc account to the IIS_IUSRS group.
For more details about the required account permissions, go to
http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-
active-directory-certificate-services-ad-
cs.aspx#Permissions_Required_for_the_Network_Device_Enrollment_Service.
C. Log in with the account and create a user profile.
5. Add the Active Directory Certificate Services role.
A. Select Certification Authority as the role service.
6. Add Active Directory Certificate Services – Network Device Enrollment Service to the role service.
A. Set the account for SCEPsvc.
7. Set the NDES to issue certificates automatically.
A. Right-click Server Manager > Roles > Active Directory Certificate Services > <Your CA>, and then select
Properties.
B. Select the Policy Module tab.
C. Click the Properties button.
D. In the radio box, select the automatically issue the certificate option.
E. Restart the Active Directory Certificate Services. The NDES is now available.
The challenge password from the request challenge password URL can issue only one certificate. In some environments,
such as manufacturing, it might be desirable to reuse the same challenge password for more than one device. For
instructions on setting the NDES to reuse the same challenge password, see Reusing a password for multiple devices at
http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-
directory-certificate-services-ad-cs.aspx#Password_and_Password_Cache.
2