Cisco FTD SCEP enrollment via AD CA NDES Server

I recently had a client that setup a CA and NDES server. They wanted to have their FTDs auto-enroll in the AD CA certs.

They had followed this PETENETLIVE article to get NDES and AD CA setup. I won’t rewrite this article, I’ll just link to it.

Essentially all you need is a Domain joined server, install CA role, then install NDES on it, then run through wizard. You will need a regular service account added to a local IIS group, but that’s easy.

Here is all that’s needed from FMC and FTD perspective (after you get NDES setup)…

Make sure the FTD, FMC, NDES and CA servers all have the same time.  You should configure your FMC to get time from the PDC emulator DC, and the FTDs to sync time from the FMC.

FTD: Devices | platform settings | time synch | via NTP from Management Center

Screenshot 20180626 200148

FMC: System | configuration | time synch

Finally the CA servers if domain joined will auto-enroll in time from the PDC emulator by default.

Also, make sure to also the connection through Windows Firewall. (in the lab I turn it off)

Get the challenege password from “http://serverip/certsrv/mscep_admin

Configure an enrollment object via the FMC | Objects | Object Management | PKI | cert enrollment

Click Add Cert Enrollment and fill it out just like the following, paste the challenge password from the NDES webpage, LEAVE THE FINGERPRINT OUT as I’ve seen it cause issues multiple times. I choose to add NDES server by IP as DNS requires configuring FLEX CONFIG for dns. The URL is “http://serverip/certsrv/mscep/mscep.dll”

Follow the below.

The key can be named whatever you want. Stick to 2048 and RSA.


I leave this at default but you can check to enable the CRL in production.


Finally now we need to go to Devices | certificates


Add certificate and select the FTD and the enrollment object.

Mine took a few minutes to load…

Finally, success!

The FTD appliance automatically loads an identity cert, I believe it’s just a webserver or computer cert. You never have to specify the cert for the FTD.

Troubleshooting: If you have any errors verify time, hostname resolution if using dns,  firewall ports are open on NDES server. Also if you get an error you can hover over the “X” and it will tell you what the error is.

Leave a comment

Exit mobile version