Create the SCEP Certificates

The Keyfactor SCEP server needs one encryption certificate with private key and one signing certificate with private key in the local machine store on the SCEP server. Once you have made the templates available for enrollment, you may go about acquiring certificates using these templates in whatever way is easiest for you.

This step assumes that you are using custom templates created as per Create Custom SCEP Templates (Optional). If you are using the built-in CEP Encryption and Exchange Enrollment Agent (Offline request) certificate templates, you can automatically acquire certificates as part of configuration process and may skip this step.

To acquire the certificates using the Microsoft certificates MMC:

  1. On the SCEP server, do one of following:

    • Using the GUI:

      1. Open an empty instance of the Microsoft Management Console (MMC).

      2. Choose File->Add/Remove Snap-in….

      3. In the Available snap-ins column, highlight Certificates and click Add.

      4. In the Certificates snap-in popup, choose the radio button for Computer account, click Next, accept the default of Local computer, and click Finish.

      5. Click OK to close the Add or Remove Snap-ins dialog.

    • Using the command line:

      1. Open a command prompt using the "Run as administrator" option.

      2. Within the command prompt type the following to open the certificates MMC:

        certlm.msc
  2. Drill down to the Personal folder under Certificates, right-click, and choose All Tasks->Request New Certificate….
  3. In the Certificate Enrollment Wizard, click Next.
  4. On the Select Certificate Enrollment Policy page, accept the default and click Next.
  5. On the Request Certificates page, scroll down to locate the Keyfactor SCEP Encryption template, and check the box for the template.

    If the template does not appear in the list, you may need to run a "gpupdate /force" on the SCEP server to pick up the new template or you may need to verify that you granted the SCEP server machine account enroll permissions on the template.
  6. On the Request Certificates page, click the link below the Keyfactor SCEP Encryption template name that says "More information is required to enroll for this certificate…". On the Subject tab of the Certificate Properties dialog, select Common name in the Type dropdown under Subject name, enter a name for the certificate in the Value field, and click the Add button. No specific text is required in the subject name. This name is for your reference and to clarify the purpose of the certificate—e.g. Keyfactor SCEP Server Encryption. Click OK at the bottom of the Certificate Properties dialog.
  7. On the Request Certificates page, click Enroll to enroll for the certificate and Finish when the enrollment is complete.
  8. Repeat steps 5 through 10 using the Keyfactor SCEP Signing template to acquire a second certificate.
  9. In the Certificates MMC, drill down to the Certificates folder under Personal, right-click the Keyfactor SCEP Server Encryption certificate, and choose Open. On the Details tab, locate the Serial number and copy the serial number from the box at the bottom of the dialog to a text file, making note that this is the encryption certificate serial number. Remove any spaces from the serial number so that the serial number string looks something like this:

    69000016e1ffccf7521125122a0000000016e1
    Important:  As displayed in the certificates dialog, the serial number has a narrow leading space that is actually an unprintable control character. If you accidentally copy this character and paste it into the registry setting when you are following the instructions in Installing the SCEP Server, the serial numbers will fail to appear in the Keyfactor SCEP Configuration tool. Be sure to strip off any leading spaces on the copied text.
  10. Repeat step 12 for the Keyfactor SCEP Server Signing certificate.

Once the certificates for SCEP encryption and signing have been acquired, the SCEP server needs to be configured to use these certificates. This is done by changing a couple of registry settings. The registry configuration area for SCEP is created by the SCEP server installation, so the SCEP server will be configured to use the appropriate certificates during the server installation.

Note:  If you encounter an error with a message similar to "Invalid algorithm specified" when enrolling for one or both of your certificates, try setting your template(s) on the Cryptography tab to Requests must use one of the following providers and select the two Microsoft Enhanced... providers.