Using a policy to configure NDE

You can use rules on a Policy object to manage network device enrollment (NDE) for Simple Certificate Enrollment Protocol (SCEP) certificates. If you are using multiple CA templates, you can create a Policy object for each CA.

You must have View and Write permissions to the Policy object where you want to define NDE settings.

NOTE  If you change the NDE settings on the Policy object, the changes are not effective until the SCEP application pool is recycled. Either recycle the VEDSCEP application pool in IIS or issue the iisreset/restart command.

To configure the NDE settings on the Policy object

  1. From the Platform menu bar, click Policy Tree.

  2. Select the Policy tree from the Tree drop-down menu.
  3. In the Policy tree, select the Policy object.

  4. Click the Network Device Enrollment tab. Refer to the following table while completing the configuration:

    Field

    Policy

    Description

    General

     

     

    Challenge Password

    		  

    (Optional) Requires you to enable the Accept container in challenge password on the Server object Rules tab. The challenge password associated with the current Policy object. If this field is empty, the SCEP-enabled device uses the Platform Default Challenge Password in the URL. For more information, see Network device enrollment settings—Platforms and Server object.

    The Policy Challenge Password is:

    • A credential to enroll certificates at the CA-specific URL. The URL is created using the Policy object CA Ident string.
    • Part of the Use container if rule.

    Use container if

    n/a

    (Optional) A rule to determine whether to create the Certificate object for a SCEP-enrolled certificate under the current Policy object. To confirm that the rule does not offer duplicate challenge passwords, see Example of rule execution.

    • Set the Allow X.509 Subject folder Rules option on the Trust Protection Platform server object. Otherwise, the rule is ignored. For more information, see Example of rule execution.

    • Set a field value. Field values include Any X.509 field, Common Name, Organization,Organizational Unit, and City.
    • Set a comparison operator. Operator values include starts with, matches or contains.

    For example, this rule creates the associated Certificate object under the current Policy object after a SCEP-enabled device submits a CSR that included "NonCorp" in its Organization string.

    Certificate Origin

    n/a

    The value to be used as the friendly name of the system requesting the certificates. It is used for reporting purposes only.

    The friendly name will automatically receive the SCEP prefix. For example, if you enter AirWatch, then the Certificate Origin will appear in Trust Protection Platform as SCEP-AirWatch.

    Default CA

     

     

    CA Ident

    n/a

    An identification string that is appends to Trust Protection Platform base SCEP URL to create a CA-specific URL.

    For example, if the value is redhat, the CA URL where SCEP devices can enroll certificates is http://scep.example.com/vedscep/redhat/.

    Certificate Authority

    n/a

    The CA Template object that Trust Protection Platform uses to: 

    • Enroll certificates submitted at the URL created with the CA Ident string.
    • Connect to the CA and submit CSRs.
    • Post the certificate CSR.
    • Retrieve certificates from the CA.

    RA certificate credential

    n/a

    This is the registration authority (RA) certificate. The RA certificate links the current RA certificate credential to certificates in the default certificate container. The RA certificate is submitted to SCEP-enabled devices in response to a GET CA and to the issuing CA when submitting an enrollment request.

    • You must have view, read, and Private Key read permissions to the certificate object to select it in the Certificate Selector dialog.
    • Trust Protection Platform must have a copy of the RA certificate private key.

    This setting is configurable from either the Platforms or Server objects.

    RA Signing Certificate Credential

     

    Select this credential, which should be linked to the RA signing certificate.

    This setting is configurable from either the Platforms or Server objects.

    RA Encryption Certificate Credential

     

    Select this credential, which should be linked to the RA signing certificate.

    This setting is configurable from either the Platforms or Server objects.

  5. Configure General and Default CA settings, and then click Save.