Alright – so if you’ve set up Microsoft NDES on server 2012 and followed the basic instructions your CA is now ready to auto enroll based on the “IPSECIntermediateOffline” template.

However, let’s say you want to actually enroll the Cisco ASA using SCEP to provide a server authentication certificate? You’re wanting to do this so your AnyConnect SSL/WebVPN will use an SSL certificate from your internal Active Directory Enterprise CA.

Simple – change the registry value for the MSCEP.dll and restart IIS. Then go back to your Cisco ASA and perform an new identity certificate enrollment. Be sure to populate all of the certificate name fields getting your CN correct.

CN=vpn.mydomain.net

The key is : HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\MSCEP\

Set this to GeneralPurposeTemplate = Webserver

You can now enroll your Cisco ASA using SCEP to obtain a Server Authentication certificate. You can check the CA certificate and now you you should see an assigned certificate using the WebServer template.

Be sure to set the GeneralPurposeTemplate back to “IPSECIntermediateOffline” once you’re done unless you need to SCEP enroll more Web Servers.