NDES Certificate expired. How do I renew it?

Question

I'm using Windows 2016 server and I setup an offline root CA, an enterprise CA, and a web accessible NDES for SCEP client Wi-Fi certificates.
I set this up two years and now two certificates used by NDES have expired. The certificate names are both {computer name}-MSCEP-RA. If I look at the details of those certificates both were issues by my enterprise CA and one with the "EnrollmentAgentOffline" and "CEPEncryption" templates.
Can someone help me out with renewing these? I found this one article which looks pretty good, but it's for Server 2008 and I'm wondering if this process is different now.
https://learn.microsoft.com/en-us/archive/blogs/askds/configuring-network-device-enrollment-service-for-windows-server-2008-with-custom-certificates

Source link:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/1db27793-ebd3-45c7-8c0a-22b88d5b0521/ndes-certificate-expired-how-do-i-renew-it?forum=winserversecurity

Answer 1

Hello,

I think we can follow the steps in the link we provided on Windows server 2016.

1.Create inf file.
2.Request req file using inf file.
3.Request cer file or pfx file using req file.

Or we can request cer file for "EnrollmentAgentOffline" and "CEPEncryption" templates through MMC.

For more information, we can refer to the link below.
Active Directory Certificate Services (AD CS): Network Device Enrollment Service (NDES)
https://social.technet.microsoft.com/wiki/contents/articles/9063.active-directory-certificate-services-ad-cs-network-device-enrollment-service-ndes.aspx