We currently use the NDES Service on Windows 2008 R2 Enterprise where the same box is also the standalone Certificate Authority.
During initial setup, NDES created 2 service certificates for SCEP based on the templates CEPEncryption and EnrollmentAgentOffline.
These two SCEP certs have expired and we are struggling to renew / request new.
Attempting to renew them using the certificates MMC snap with the same key (all tasks->advanced operations->renew this certificate with the same key) produces an error
“An enrollment policy server cannot be located”
I have tried to follow the instructions at the following URL for renewing service certificates but they don't seem to be correct for the scenario we are in (likely the standalone CA).
Specifically steps 10,11 start deviating
- Right-click, select All Tasks, and then click Select New Certificates. (I don't have the Select New Certificates option).
- In the Certificate Enrollment dialog box, click Next. (on all renewal/request tasks I choose I receive the error noted above)
Can anyone help me with the error and educate me on how to renew these service certificates in this scenario?
Best Answer
turns out the standalone CA scenario was causing the issue. The renewal and certificate request process built into the certificate MMC GUI requires a policy web server (which can't run on a standalone CA as it requires domain permissions to install).
As a result, you need to manually remove, request and accept the new certs. Found a blog post that details instructions on how to do it manually using certutil.
http://blogs.technet.com/b/askds/archive/2008/04/28/configuring-network-device-enrollment-service-for-windows-server-2008-with-custom-certificates.aspx