Disclaimer: this article covers the basics of setting up a SCEP server for use by Mobile Management. It is not intended as a best practice guide for every environment. Please see detailed Microsoft documentation, such as the Microsoft SCEP Implementation Whitepaper.
Assuming the system is running Windows Server 2008 R2, is joined to an Active Directory domain, and the domain already has a Certificate Authority available:
- Recommended: Log into the server as the Domain Account you plan on configuring SCEP to use.
- Open the Server Manager and select Roles > Add Roles
- Select the Active Directory Certificate Services role, click Next, and Next again at the AD CS information page.
- Unselect the Certificate Authority role service, and select Network Device Enrollment Service, click Next
- NDES requires IIS, so accept the defaults for installing IIS to the server.
- Specify the user account NDES will use, (required: add it to the local IIS_IUSRS group first), and click Next.
- Select the domain CA on the network, and click Next.
- Optional: Leave the RA and fill in the contact information, if desired, and click Next.
- Optional: Change the Key character length for both the Signature and Encryption keys to 1024 (this will be needed in the Mobile Management SCEP configuration page), click Next.
- Review the information and click Install.
- Reboot the server if necessary, and log back in as the NDES user account.
- Open RegEdit and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\UseSinglePassword and set the UseSinglePassword value to 1.
- Restart IIS.
- Access the SCEP Server admin page at http://servername/certsrv/mscep_admin/ to view the password