Hi
A customer of mine is attempting to configure a router so that it will authenticate with their client's NDES server; using SCEP to sign its certificate
I had previously set up a SCEP requestor prototype for my customer using FreeRadius/Debian; in lieu of NDES. It wasn’t a simple setup since there was also dot1x in the mix.
The requestor is a Mikrotik Routerboard device running RouterOS
The initial SCEP certificate signing request works fine; thanks to the use of a OTP
The problem is that we can’t get the certificate renewal process to work.
The NDES server receives the renewal request from the RouterBoard and fails with the following error message:
Error,19/01/2021 17:26:08,Microsoft-Windows-NetworkDeviceEnrollmentService,28,None,The Network Device Enrollment Service cannot locate a required password in the certificate request. Either a password must be present in the certificate request or the certificate request should be signed with a valid signing certificate. The signing certificate must chain up to a trusted root in the Enterprise store. The signing certificate and the certificate request must have the same subject name or subject alternate name.
When you read this it seems as if either :
RouterOS isn’t providing the necessary security info - AFAIK OTP is only required to sign the initially certificate - so this looks like a “red herring”
the original certificate isn’t (properly ?) signing the CSR - I assume that this part of RouterOS' automated renewal process. Not sure what I can do about this
the issue could be linked to a difference in common or subject alternate name between the CRT and the CSR. I would assume that the RouterOS SCEP implementation generates the CSR based on the existing CRT, therefore the common and subject alternate names should coincide
Any ideas, questions or suggestions?
regards
yann