Avalanche powered by Wavelink

This page refers to an older version of the product.
View the current version of the User Guide.

Configuring the SCEP Server

Integrating Avalanche with Microsoft SCEP requires two configurations. The first configuration is to enable automatic certificate issuing, so that Avalanche can freely communicate with SCEP to automatically submit requests and distribute new certificates to devices. By default, certificate renewal is enabled on Microsoft Server 2008 R2 and Server 2008 SP2.

The second configuration is that you enable Single Password Mode to more easily request and renew expired certificates. Based on the SCEP protocol used, devices are required to send a password when they request a certificate from the certificate management server. After validating the password, a certificate is issued to the device. Enabling this registry setting allows you to set a single master password used across all devices that is recognized by the SCEP server.

If you have not already configured the Wavelink Certificate Management Server, see Configuring the Certificate Management Server

To enable automatic certificate issuing:

1.From the Microsoft SCEP console, navigate to Server Manager > Roles > Active Directory Certificate Services > [Your Certificate Authority].

2.Select the Policy Module tab.

3.Click the second option to automatically issue the certificate.

4.Click OK.

The SCEP server now allows automatic issuing of certificates.

To reuse a password on multiple devices:

1.Create the following registry entry:

•Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\UseSinglePassword

•Name: UseSinglePassword

•Type: REG_DWORD

•Value: 1

2.Open a web browser and navigate to http://[Your Certificate Authority]/certsrv/mscep_admin.

3.The following message should appear:

This password can be used multiple times and will not expire.

The SCEP server confirms the registry setting for Single Password Mode and stores the master password in the registry using encrypted data. This password never expires and can be requested by the administrator by logging into the SCEP administration website and submitting a request. This password must be deployed to all devices.

Once you've completed these steps, you need to configure the server for certificate authentication. For steps to complete this task, see Setting Up Certificate Authentication.