Cisco FTD SCEP enrollment via AD CA NDES Server

Posted byvektorprime Leave a comment on Cisco FTD SCEP enrollment via AD CA NDES Server

I recently had a client that setup a CA and NDES server. They wanted to have their FTDs auto-enroll in the AD CA certs.

They had followed this PETENETLIVE article to get NDES and AD CA setup. I won’t rewrite this article, I’ll just link to it.

Essentially all you need is a Domain joined server, install CA role, then install NDES on it, then run through wizard. You will need a regular service account added to a local IIS group, but that’s easy.

Here is all that’s needed from FMC and FTD perspective (after you get NDES setup)…

Make sure the FTD, FMC, NDES and CA servers all have the same time.  You should configure your FMC to get time from the PDC emulator DC, and the FTDs to sync time from the FMC.

FTD: Devices | platform settings | time synch | via NTP from Management Center

Screenshot 20180626 200148

FMC: System | configuration | time synch

Screenshot 20180626 200252

Finally the CA servers if domain joined will auto-enroll in time from the PDC emulator by default.

Also, make sure to also the connection through Windows Firewall. (in the lab I turn it off)

Screenshot 20180626 200051

Get the challenege password from “http://serverip/certsrv/mscep_adminScreenshot 20180626 193049

Configure an enrollment object via the FMC | Objects | Object Management | PKI | cert enrollment

Screenshot 20180626 192936

Click Add Cert Enrollment and fill it out just like the following, paste the challenge password from the NDES webpage, LEAVE THE FINGERPRINT OUT as I’ve seen it cause issues multiple times. I choose to add NDES server by IP as DNS requires configuring FLEX CONFIG for dns. The URL is “http://serverip/certsrv/mscep/mscep.dll”

Screenshot 20180626 200540

Follow the below.

Screenshot 20180626 193555

The key can be named whatever you want. Stick to 2048 and RSA.

Screenshot 20180626 193610

 

I leave this at default but you can check to enable the CRL in production.

Screenshot 20180626 193620

 

Finally now we need to go to Devices | certificates

Screenshot 20180626 193841

 

Add certificate and select the FTD and the enrollment object.Screenshot 20180626 200716

Mine took a few minutes to load…Screenshot 20180626 194005

Finally, success!

Screenshot 20180626 201055

The FTD appliance automatically loads an identity cert, I believe it’s just a webserver or computer cert. You never have to specify the cert for the FTD.

Troubleshooting: If you have any errors verify time, hostname resolution if using dns,  firewall ports are open on NDES server. Also if you get an error you can hover over the “X” and it will tell you what the error is.

Leave a comment