Alright – so if you’ve set up Microsoft NDES on server 2012 and followed the basic instructions your CA is now ready to auto enroll based on the “IPSECIntermediateOffline” template.
However, let’s say you want to actually enroll the Cisco ASA using SCEP to provide a server authentication certificate? You’re wanting to do this so your AnyConnect SSL/WebVPN will use an SSL certificate from your internal Active Directory Enterprise CA.
Simple – change the registry value for the MSCEP.dll and restart IIS. Then go back to your Cisco ASA and perform an new identity certificate enrollment. Be sure to populate all of the certificate name fields getting your CN correct.
The key is : HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\MSCEP\
Set this to GeneralPurposeTemplate = Webserver
You can now enroll your Cisco ASA using SCEP to obtain a Server Authentication certificate. You can check the CA certificate and now you you should see an assigned certificate using the WebServer template.
Be sure to set the GeneralPurposeTemplate back to “IPSECIntermediateOffline” once you’re done unless you need to SCEP enroll more Web Servers.
One thought on “Cisco ASA enrollment for SSL using SCEP”
Good post. I’m experiencing many of these issues as