question

YannShukor-8208 avatar image
0 Votes"
YannShukor-8208 asked YannShukor-8208 commented

SCEP certificate renewal fails with event id 28

Hi

A customer of mine is attempting to configure a router so that it will authenticate with their client's NDES server; using SCEP to sign its certificate

I had previously set up a SCEP requestor prototype for my customer using FreeRadius/Debian; in lieu of NDES. It wasn’t a simple setup since there was also dot1x in the mix.

The requestor is a Mikrotik Routerboard device running RouterOS

The initial SCEP certificate signing request works fine; thanks to the use of a OTP

The problem is that we can’t get the certificate renewal process to work.

The NDES server receives the renewal request from the RouterBoard and fails with the following error message:

Error,19/01/2021 17:26:08,Microsoft-Windows-NetworkDeviceEnrollmentService,28,None,The Network Device Enrollment Service cannot locate a required password in the certificate request. Either a password must be present in the certificate request or the certificate request should be signed with a valid signing certificate. The signing certificate must chain up to a trusted root in the Enterprise store. The signing certificate and the certificate request must have the same subject name or subject alternate name.

When you read this it seems as if either :

  • RouterOS isn’t providing the necessary security info - AFAIK OTP is only required to sign the initially certificate - so this looks like a “red herring”

  • the original certificate isn’t (properly ?) signing the CSR - I assume that this part of RouterOS' automated renewal process. Not sure what I can do about this

  • the issue could be linked to a difference in common or subject alternate name between the CRT and the CSR. I would assume that the RouterOS SCEP implementation generates the CSR based on the existing CRT, therefore the common and subject alternate names should coincide

Any ideas, questions or suggestions?

regards
yann

mem-intune-enrollment
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for posting in this forum. For such kind of issue, we may need to collect more logs and traces with NDES and SCEP. Due to limit resource, it is highly suggested to create a free online support case to resolve this issue more effectively. Here is the link: https://docs.microsoft.com/en-us/mem/get-support

0 Votes 0 ·

1 Answer

YannShukor-8208 avatar image
0 Votes"
YannShukor-8208 answered YannShukor-8208 commented

Thanks for your reply

Unfortunately I have no visibility or access to my client's customer's systems

Just close the ticket then

regards
yann

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks; will try to obtain something from client's customer

0 Votes 0 ·