I recently had a client that setup a CA and NDES server. They wanted to have their FTDs auto-enroll in the AD CA certs.
Essentially all you need is a Domain joined server, install CA role, then install NDES on it, then run through wizard. You will need a regular service account added to a local IIS group, but that’s easy.
Here is all that’s needed from FMC and FTD perspective (after you get NDES setup)…
Make sure the FTD, FMC, NDES and CA servers all have the same time. You should configure your FMC to get time from the PDC emulator DC, and the FTDs to sync time from the FMC.
FTD: Devices | platform settings | time synch | via NTP from Management Center
FMC: System | configuration | time synch
Finally the CA servers if domain joined will auto-enroll in time from the PDC emulator by default.
Also, make sure to also the connection through Windows Firewall. (in the lab I turn it off)
Get the challenege password from “http://serverip/certsrv/mscep_admin
Configure an enrollment object via the FMC | Objects | Object Management | PKI | cert enrollment
Click Add Cert Enrollment and fill it out just like the following, paste the challenge password from the NDES webpage, LEAVE THE FINGERPRINT OUT as I’ve seen it cause issues multiple times. I choose to add NDES server by IP as DNS requires configuring FLEX CONFIG for dns. The URL is “http://serverip/certsrv/mscep/mscep.dll”
Follow the below.
The key can be named whatever you want. Stick to 2048 and RSA.
I leave this at default but you can check to enable the CRL in production.
Finally now we need to go to Devices | certificates
Add certificate and select the FTD and the enrollment object.
Mine took a few minutes to load…
The FTD appliance automatically loads an identity cert, I believe it’s just a webserver or computer cert. You never have to specify the cert for the FTD.
Troubleshooting: If you have any errors verify time, hostname resolution if using dns, firewall ports are open on NDES server. Also if you get an error you can hover over the “X” and it will tell you what the error is.