This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
I'm using Windows 2016 server and I setup an offline root CA, an enterprise CA, and a web accessible NDES for SCEP client Wi-Fi certificates.
I set this up two years and now two certificates used by NDES have expired. The certificate names are both {computer name}-MSCEP-RA. If I look at the details of those certificates both were issues by my enterprise CA and one with the "EnrollmentAgentOffline" and "CEPEncryption" templates.
Can someone help me out with renewing these? I found this one article which looks pretty good, but it's for Server 2008 and I'm wondering if this process is different now.
https://learn.microsoft.com/en-us/archive/blogs/askds/configuring-network-device-enrollment-service-for-windows-server-2008-with-custom-certificates
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hello,
I think we can follow the steps in the link we provided on Windows server 2016.
1.Create inf file.
2.Request req file using inf file.
3.Request cer file or pfx file using req file.
Or we can request cer file for "EnrollmentAgentOffline" and "CEPEncryption" templates through MMC.
For more information, we can refer to the link below.
Active Directory Certificate Services (AD CS): Network Device Enrollment Service (NDES)
https://social.technet.microsoft.com/wiki/contents/articles/9063.active-directory-certificate-services-ad-cs-network-device-enrollment-service-ndes.aspx
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 61%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAL%3C/text%3E%3C/svg%3E)
I know this is a fairly old Q&A, but Google brought me here... Unfortunately this explanation and the linked article aren't applicable when working with a Server Core installation of NDES...
Sure, I can launch mmc.exe from a different PC or Server, launch the Certificate snap-in and connect to my Server Core NDES server. However, from Step 10, the instructions do not match the functionality of a remote mmc Certificates snap-in.
There is a similar wizard I can use, where I can select the CEP Encryption template. However, it only offers to Save a certificate request file. I can't Enroll automatically, and need to now remind myself the intricacies of the command line tool certreq, which is easy to forget and hard to find information about the correct invocations!
Please can someone help provide instructions for NDES on Server Core, or point me to somewhere else I should ask?
Thanks and Kind regards