This document describes how to renew two certificates that are used for Simple Certificate Enrollment Protocol (SCEP): Exchange Enrollment Agent and CEP Encryption certificate on Microsoft Active Directory 2012.
Cisco recommends that you have knowledge of these topics:
Basic knowledge of Microsoft Active Directory configuration
Basic knowledge of Public Key Infrastracture (PKI)
Basic knowledge of Identity Services Engine (ISE)
The information in this document is based on these software and hardware versions:
Cisco Identity Services Engine version 2.0
Microsoft Active Directory 2012 R2
Cisco ISE uses SCEP protocol to support personal device registration (BYOD onboarding). When using an external SCEP CA, this CA is defined by a SCEP RA profile on ISE. When a SCEP RA Profile is created, two certificates are automatically added to the Trusted Certificates Store:
CA root certificate,
RA (Registration Authority) certificate which is signed by the CA.
RA is responsible for receiving and validating the request from the registering device, and forwarding it to the CA that issues the client certificate.
When the RA certificate expires, it is not renewed automatically on the CA side (Windows Server 2012 in this example). That should be manually done by the Active Directory/CA administartor.
Here is the example how to achive that on Windows Server 2012 R2.
Initial SCEP certificates visible on ISE:
Assumption is that MSCEP-RA CERTIFICATE is expired and has to be renewed.
Caution: Any changes on Windows Server should be consulted with its administrator first.
1. Identify old private keys
Find privite keys associated with the RA certificates on the Active Directory using certutil tool. After that locate Key Container.
certutil -store MY %COMPUTERNAME%-MSCEP-RA
Please note that if the name of your initial MSCEP-RA certificate is different then it should be adjusted in this request. However, by default it should contain the computer name.
2. Delete old private keys
Delete referring keys manually from the folder below:
3. Delete old MSCEP-RA ceritificates
After deleting the private keys, remove MSCEP-RA ceritificates from the MMC console.
4.2.4: Accept the new certificate by moving it into the Local Computer Personal store:
certreq -accept cisco_ndes_xchg.cer
After completing step 4, two new MSCEP-RA certificates will appear in the Local Computer Personal Store:
Also you can verify the certificates with certutil.exe tool (make sure you use the correct new certificate name). MSCEP-RA certificates with new Common Names and new Serial Numbers should be displayed:
certutil -store MY NEW-MSCEP-RA
6. Restart IIS
Restart Internet Information Services (IIS) server in order to apply the changes:
7. Create new SCEP RA profile
On ISE create a new SCEP RA profile (with the same server URL as the old one), so new certificates are downloaded and added to the Trusted Certificates Store:
8. Modify certificate template
Make sure the new SCEP RA profile is specified in the Certificate template used by BYOD (you can check it in Administration > System > Certificates > Certificate Authority > Certificates Templates):