KB ID 0001181
Problem
I was doing some testing for a client this week, a while ago I had deployed a three tier PKI solution for them, and as part of the rollout we deployed NDES for their network devices, (they were going to use certificates to secure site to site VPNs). The client was concerned, and wanted the auto renewal process testing. This could not be done on the live system. So myself and a colleague went to the test bench, I build a model off the three tier PKI, and then setup NDES, while my colleague did the comms/switches and routers.
When I was ready to go, he could not get any enrolments working with NDES. Troubleshooting NDES is usually a case of looking in event viewer, but the one check you can do is go to;
http://localhost/certsrv/mscep_admin
And I got this;
HTTP Error 500.0 – Internal Server Error
The page cannot be displayed because an internal server error has occurred.
The normal web enrolment site http://localhost/certsrv was up and working this was just NDES?
Solution
This took me a while, theres a ton of posts on this that suggest enabling local profiles logging in as the NDES service user, etc etc and non of them fixed the problem.
This was happening to me because when NDES starts, the first thing it does is check its RA, (Registration Authority) certificate. It’s in the local computer certificate store if you want to look at it, (or you will find it in ‘issued certificates’ on the CA of course).
Let’s take a look at that cert’s certificate chain;
You can see my three tier PKI solution, from the top, Offline Root > Intermediate CA (Sub CA) > Issuing CA (Sub CA) > My certificate.
But if I take a look in the CRL location (General Tab > Certificate Revocation Information). I found the following;
What my clients see via http
For the un-initiated these are CRL files, the ones with a ‘+’ on the end are ‘delta url files’, (but that’s not important here). What is important is there is no CRL for my offline root CA in there. Luckily I had it on a disk, if you don’t you will have to bring the offline root CA online (turn it on). Then get a copy of the CRL. You can normally find it in C:\Windows\System32\Certsrv. If yours is not there, open ‘Certificate Services Management’ > Revoked certificates > Publish.
Simply copy the CRL file into the CRL location;
Then I rebooted the NDES Server, (I could probably have restarted certsvc and IIS, but let’s be thorough). And the system burst into life.
Related Articles, References, Credits, or External Links
Windows Server 2012 – Install and Configure NDES
Cisco – Automatic Re-enrollment Fails to MSCEP/NDES
Cisco ASA – Enrolling for Certificates with NDES
Delta CRL is also important if configured!
–> IIS double escaping
What was the duration statement to the IIS escaping.