Using the Network Device Enrollment Service (NDES) to issue certificates to Cisco devices involves configuring NDES and the router to support Simple Certificate Enrollment Protocol (SCEP), which allows the router to obtain certificates from a Certificate Authority (CA) via NDES.
Duplicate a template on the intermediate CA.
Right-click on the “Router” template and duplicate
Note: The template has to be issued
Log into the NDES server and edit the registry.
For simplicity and lab testing only…
Below this is a 32-bit DWORD value called EnforcePassword, which is set to 1 in the default installation. Setting the value to 0 enables operation without a password.
Restart the IIS service on the NDES server.
Test the URL of the NDES server.
Enroll a Cisco 9800 WLC
1. Define aand Key Pair and Trust Point
crypto key generate rsa general-keys modu 2048 label 9800CL1-HTTPS-KEYPAIR exportable
!
crypto pki trustpoint 9800CL1-HTTPS-TRUSTPOINT
enrollment retry count 100
enrollment retry period 60
enrollment mode ra
enrollment url http://10.0.206.22:80/certsrv/mscep/mscep.dll
serial-number none
ip-address none
fqdn 9800CL1.netprojekralac.com
subject-name CN=9800CL1.netprojekralac.com.com,OU=Router SCEP,O=NETPROJEKRALAC LLC ,ST=NY,C=US
revocation-check none
rsakeypair 9800CL1-HTTPS-KEYPAIR
auto-enroll 30 regenerate
2. Download the CA’s root certificate
crypto pki authenticate 9800CL1-HTTPS-TRUSTPOINT
3. Verify cert download
do show crypto pki certificates
4. Enroll the certificate
crypto pki enroll 9800CL1-HTTPS-TRUSTPOINT
do show crypto pki certificate verbose 9800CL1-HTTPS-TRUSTPOINT
5. assign the trust point
ip http secure-trustpoint 9800CL1-HTTPS-TRUSTPOINT
Review the certificate
Access the GUI of the Cisco 9800 WLC and validate the certificate.
Part one can be found here.