SCEP and NDES, A Brief History

SCEP vs. NDES. What are they and how are they related?

Simple Certificate Enrollment Protocol (SCEP) and is designated as RFC 8894 is an enrollment method to allow a device to generate a certificate request and automatically submit it to a CA. It can also support certificate revocation and CRL lookups. SCEP was originally designed by Cisco and Verisign and can work for most non-Windows devices. NDES (Network Device Enrollment Service) is Microsoft’s implementation of the SCEP protocol.

As per the Original Internet Draft published in 2000, “The goal of SCEP is to support the secure issuance of certificates to network devices in a scalable manner, using existing technology whenever possible. The protocol supports the following operations:

CA and RA public key distribution

Certificate enrollment

Certificate revocation

Certificate query

CRL query

Although Cisco stopped working on SCEP in 2010, the protocol continued to be used in the industry. In 2015, Peter Gutmann submitted an updated version of the Internet draft. Per the abstract, “SCEP makes extensive use of Cryptographic Message Syntax [RFC5652] and PKCS #10 [RFC2986], Certification Request Syntax Specification.

Gutmann’s abstract also cites: “SCEP is the evolution of the enrolment protocol sponsored by Cisco Systems, which now enjoys wide support in both client and server implementations, as well as being relied upon by numerous other industry standards that work with certificates”.

NDES – Microsoft’s Implementation Of the SCEP Protocol

Based on HTTP, NDES is used to enroll non-AD joined devices and appliances, switches and routers, VOIP solutions, embedded OS, and Linux. In most environments, NDES is deployed in conjunction with Mobile Device Management(MDM) implementations such as AirWatch, MobileIron, and Microsoft Intune to facilitate MDM based certificate enrollment and provisioning.

NDES is not the first implementation of SCEP for Microsoft CAs. SCEP was originally provided in the Windows Server Resource Kit in Windows Server 2000 and Server 2003. It was originally named Microsoft Simple Certificate Enrollment Protocol (MSCEP). In fact, many of the NDES product registry keys and configuration properties still reference the MSCEP name. MSCEP was renamed NDES and was included in the Windows Server OS as an optional feature starting with Windows Server 2008.

There are several changes in features in NDES that were not available in previous Microsoft implementations of SCEP:

• Designate Certificate Templates   Previous versions of SCEP did not allow you to configure certificate templates for each request type.
• Certificate Renewal   NDES now supports renewing the service certificates.
• Allow SCEP to be installed on a computer other than a CA   Previous versions of Microsoft SCEP required that the SCEP service be installed on an existing CA.
• New default signing algorithm   Previous versions of Microsoft SCEP used MD5 as the default hash algorithm. NDES now uses SHA1 as the default but allows you to revert to MD5 through a registry change.
• Service credentials   NDES can now run with a dedicated service account or the Network Service account rather than using the Local System account.
• Request size limit   NDES limits the request size to 64 KB to prevent buffer overflow attacks.

This covers the brief history of SCEP and NDES.

Want to learn more about setting up NDES with MS Intune. Join our webinar

Common and Risky Microsoft Intune misconfigurations and how to fix them

Resources:
https://www.techtarget.com/searchwindowsserver/definition/Microsoft-Network-Device-Enrollment-Service-NDES#:~:text=NDES%20is%20a%20function%20of,usually%20a%20dedicated%20CA%20server.

https://datatracker.ietf.org/doc/html/draft-nourse-scep-00

https://datatracker.ietf.org/doc/draft-gutmann-scep/00/