Using Fortanix Data Security Manager with Microsoft Network Device Enrollment Service

  • Updated on Jul 24, 2025
  • Published on Jul 16, 2025
  • 14 minute(s) read
Prev Next

1.0 Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) with Microsoft Network Device Enrollment Service (NDES) using the Fortanix Key Management Service (KMS) Cryptographic Service Provider (CSP). This integration replaces the default or existing CSP on NDES server with the Fortanix CSP Provider, a secure, hardware-grade key management solution.

NDES is a role service of Active Directory Certificate Services (AD CS) that acts as a Registration Authority. It allows software on routers and other network devices without domain credentials to obtain certificates through the Simple Certificate Enrollment Protocol (SCEP). By storing private keys in Fortanix DSM you can improve the security, control, and auditability of the certificate issuance process. For more information on the service and configuration steps, refer to the official Microsoft documentation at NDES Overview.

This article also contains the information that a user requires to:

  • Install the Fortanix KMS CSP Provider on the NDES Server

  • Configure the NDES Service with the Fortanix KMS CSP Provider

  • Migrate to Fortanix KMS CSP if NDES is already configured with another CSP

  • Test the SCEP Workflow using an open-source SCEP tool

  • Troubleshoot common issues

NOTE

This document does not cover the configuration of NDES with Microsoft Intune or any other SCEP tools. An open-source SCEP tool will be used exclusively to validate the overall SCEP workflow.

2.0 Prerequisites

Ensure the following:

  • Windows Server 2019 with Microsoft AD CS role is installed.

  • NDES server installed and running with admin privileges.

  • Fortanix DSM is accessible. For more information, refer to Section 4.1: Signing Up and Section 4.2: Creating an Account.

  • Fortanix CNG provider (also contains CSP). Download the latest version from here.

3.0 Product Version Tested

The following product versions were tested:

  • Fortanix DSM version 4.34 or later

  • Fortanix CNG Provider 5.1

  • Windows Server 2019

  • Microsoft AD CS with NDES role

4.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

4.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://amer.smartkey.io.

For more information on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS.

4.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

Figure 1: Logging in

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

4.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

  1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

    Figure 2: Add groups

  2. On the Adding new group page, do the following:

    1. Title: Enter a name for your group.

    2. Description (optional): Enter a short description of the group.

  3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

4.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

  1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

    Figure 3: Add application

  2. On the Adding new app page, do the following:

    1. App name: Enter the name for your application.

    2. ADD DESCRIPTION (optional): Enter a short description of the application.

    3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

    4. Assigning the new app to groups: Select the group created in Section 4.3: Creating a Group from the list.

  3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

4.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

  1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 4.4: Creating an Application to go to the detailed view of the app.

  2. On the INFO tab, click VIEW API KEY DETAILS.

  3. From the API Key Details dialog box, copy the API Key of the app to use in Section 5.2: Configuring the Fortanix CNG Client.

5.0 Fortanix CNG Provider

The Fortanix CNG Provider must be installed on every target machine. For more information, refer to Section 2.0: Prerequisites.

FortanixKmsClient.msi installs the Fortanix CNG Provider, as well as an EKM provider and the PKCS#11 library. Next, to configure the CNG client, Fortanix CNG Provider communicates with Fortanix DSM for cryptographic operations.

5.1 Installing the Fortanix CNG Client on NDES Server

Perform the following steps to complete the installation on your machine:

  1. Click the .msi file to start the Fortanix KMS client installation.

  2. On the Fortanix KMS Client Setup dialog box, click Next.

    Image1.png

    Figure 4: Fortanix KMS Client Setup

  3. Select the check box for I accept the terms in the License Agreement and click Next.

    Image2.png

    Figure 5: Fortanix KMS Client Setup

  4. Enter the location for installing the Fortanix KMS Client. For example, C:\Program Files\Fortanix\KMS Client\.

    Image3.png

    Figure 6: Fortanix KMS Client Setup

  5. Click Install to install the Fortanix KMS client.

    Image4.png

    Figure 7: Fortanix KMS Client Setup

  6. After the installation is done, click Finish.

    Image5.png

    Figure 8: Fortanix KMS Client Setup

5.2 Configuring Fortanix CNG Client

The Fortanix KMS Server URL and proxy information are configured in the Windows registry for the local machine or the current user.

  1. Run the following command to navigate to FortanixKmsClientConfig.exe file:

    cd C:\Program Files\Fortanix\KmsClient\

    The machine key store uses the local machine configuration, and the user key store uses the current user configuration.

  2. Run the following command to configure the Fortanix DSM Server URL for the following:

    • Local Machine:

      FortanixKmsClientConfig.exe machine --api-endpoint <DSM_endpoint_URL>

      Where,

      <DSM_endpoint_URL> refers to the Fortanix DSM URL. On-premises customers use the DSM URL and SaaS customers can use the URLs based on the region. DSM SaaS supports multiple regions, as listed here.

      For example,

      FortanixKmsClientConfig.exe machine --api-endpoint https://<fortanix_dsm_url>

    • Current user:

      FortanixKmsClientConfig.exe user --api-endpoint <DSM_endpoint_URL>

      To configure proxy information, add --proxy http://proxy.com or --proxy none to unconfigure proxy.

  3. Run the following command to configure the API key as copied in Section 4.5: Copying the API Key:

    • Local Machine:

      FortanixKmsClientConfig.exe machine --api-key <key>

    • User key store:

      FortanixKmsClientConfig.exe user --api-key <key>

Figure 9: Configuring the Fortanix KMS client

6.0 Configure NDES Service with Fortanix KMS CSP Provider

After configuring the Fortanix CNG provider, the next step is to integrate it into the NDES role configuration. This ensures that the NDES uses Fortanix as its CSP instead of any other CSP provider.

Assuming that the NDES Service is already installed, perform the following steps to set up the NDES service with Fortanix KMS CSP provider:

  1. Open the Server Manager on the NDES server.

  2. On the Server Manager window, click Post Deployment Configuration and do the following:

    1. On the Credentials screen, enter the required credentials.

      Figure 10: Configuring credentials in server manager

    2. Click Next.

    3. On the Role Services screen, select the Network Device Enrollment Service check box.

      Figure 11: Selecting network device enrollment service

    4. Click Next.

    5. On the Service Account for NDES screen, browse and select the service account that belongs to the IIS_IUSRS group. For more information on how to create this user, refer to the Microsoft documentation at Configure Network Device Enrollment Service to use a domain user account.

      Figure 12: Selecting service account for NDES

    6. Click Next.

    7. On the CA for NDES screen, browse and select your Certificate Authority (CA) name.

      Figure 13: Selecting certificate authority for NDES

    8. Click Next.

    9. On the RA Information screen, enter the RA name, select the Country/Region from the drop down menu and enter the Optional Information as required. This will be used in registration authority (RA) certificates.

      Figure 14: Entering RA information for NDES

    10. Click Next.

    11. On the Cryptography for NDES screen, select Fortanix KMS CSP from the list of available providers.

      Figure 15: Selecting Fortanix KMS CSP

    12. Click Next.

    13. On the Confirmation screen, review the summary.

      Figure 16: Confirmation screen

    14. Click Configure to configure the roles, role services, or features.

    15. On the Results screen, verify that the configuration completed successfully and that no errors are reported.

      Figure 17: Results screen

    16. Click Close to exit the configuration wizard.

  3. Once configured, navigate to the Local Machine certificate store, where you should see two new certificates.

    Figure 18: Viewing new certificates in local machine certificate store

  4. The corresponding private keys for these certificates will be created in Fortanix DSM.

    Figure 19: Private keys for new certificates

  5. Finally, access the NDES service using the user interface (UI) using your configured URL.

    Figure 20: Accessing NDES service

7.0 Migrate NDES to Fortanix KMS CSP from Another Provider

This section describes the steps to migrate an already configured NDES, whether using Microsoft or another CSP provider, to Fortanix DSM.

7.1 Regenerating RA Certificates with Keys in Fortanix DSM

Perform the following steps to regenerate the RA certificates along with their keys stored in Fortanix DSM:

  1. Run the following command to create the INF files for Certified Encryption Provider (CEP) Encryption and Exchange Enrollment Agent:

    • Sample .inf for CEP Encryption:

      [Version]
Signature="$Windows NT$"

[NewRequest] 
Subject = "C=US, CN=NDES-Server-2-MSCEP-RA"
Exportable = FALSE
KeyLength = 2048
KeySpec = 1 
KeyUsage = 0x80 
MachineKeySet = TRUE 
ProviderName = "Fortanix KMS CSP" 
ProviderType = 24

[EnhancedKeyUsageExtension] 
OID = 1.3.6.1.4.1.311.20.2.1

[RequestAttributes]
CertificateTemplate = CEPEncryption

    • Sample .inf for Exchange Enrollment Agent:

      [Version]
Signature="$Windows NT$"

[NewRequest] 
Subject = "C=US, CN=NDES-Server-2-MSCEP-RA"
Exportable = FALSE
KeyLength = 2048
KeySpec = 2 
KeyUsage = 0x80 
MachineKeySet = TRUE
ProviderName = "Fortanix KMS CSP" 
ProviderType = 24

[EnhancedKeyUsageExtension] 
OID = 1.3.6.1.4.1.311.20.2.1

[RequestAttributes]
CertificateTemplate = EnrollmentAgentOffline

    Using these INF files, the keys will be generated in Fortanix DSM without export permission, ensuring that the private keys remain securely stored within Fortanix DSM.

  2. Once the INF files are ready, run the following PowerShell commands to generate the key and Certificate Signing Request (CSR) requests: 

    PS C:\Users\adminguy.AUFTXTEST\Downloads\NDES-Certs> certreq -new encryption.inf encryption-2025
Active Directory Enrollment Policy
  {FBF5B06D-DD19-44BB-BBC8-0F7E717474D6}
  ldap:

CertReq: Request Created


PS C:\Users\adminguy.AUFTXTEST\Downloads\NDES-Certs> certreq -new signature.inf signature-2025
Active Directory Enrollment Policy
  {FBF5B06D-DD19-44BB-BBC8-0F7E717474D6}
  ldap:
Machine context template conflicts with user context.

CertReq: Request Created

    These commands will generate the CSR requests, and the associated keys will be created in Fortanix DSM, ensuring that the certificates are securely linked to the Fortanix KMS CSP.

    Figure 21: Security object created

    Figure 22: Audit logs

  3. Run the following commands to retrieve the certificates from CA for these certificate requests:

    PS C:\Users\adminguy.AUFTXTEST\Downloads\NDES-Certs> certreq -submit encryption-2025 encryption-2025.crt
Active Directory Enrollment Policy
  {FBF5B06D-DD19-44BB-BBC8-0F7E717474D6}
  ldap:
RequestId: 187
RequestId: "187"
Certificate retrieved(Issued) Issued
PS C:\Users\adminguy.AUFTXTEST\Downloads\NDES-Certs> certreq -submit signature-2025 signature-2025.crt
Active Directory Enrollment Policy
  {FBF5B06D-DD19-44BB-BBC8-0F7E717474D6}
  ldap:
RequestId: 188
RequestId: "188"
Certificate retrieved(Issued) Issued

7.2 Replacing Existing RA Certificates with Fortanix-Based RA Certificates

Perform the following steps to replace the existing RA certificates with the newly generated Fortanix DSM key-based certificates in the Local Machine certificate store:

  1. Export the existing RA certificates from the Local Machine certificate store to the file system as a backup.

    1. In the Certificates, navigate to Local Computer → Personal →  Certificates.

    2. Locate the RA certificate you want to export, right-click it, and select All Tasks →  Export.

  2. In the Certificate Export Wizard, do the following:

    1. Select Yes, export the private key.

    2. Select PFX (Personal Information Exchange) format.

    3. Set a password if needed.

    4. Save the exported certificate in a secure location.

      Figure 23: Exporting existing RA certificates

  3. Remove the existing RA certificates from the Local Machine certificate store to prepare for the new certificates.

    1. In the Certificates, go to Local Computer → Personal → Certificates.

    2. Find the RA certificate that you want to remove, right-click it and select Delete.

    3. Confirm the deletion when prompted to remove it from the certificate store.

      Figure 24: Deleting existing RA certificates

  4. Import the Fortanix key-based certificates, generated in the previous steps, into the Local Machine certificate store one by one.

    1. In the Certificates, navigate to Local Computer → Personal → Certificates.

    2. Right-click Certificates to launch the Certificate Import Wizard and click Install Certificate… to browse to the location where you saved the Fortanix key-based certificates and upload the certificate.

      Figure 25: Select Fortanix certificate file for import

    3. Click OK.

    4. On the next screen, select Local Machine to all certificates in your local machine.

      Figure 26: Select the system area for certificate import

    5. Click Next.

    6. Select Place all certificates in the following store option and then browse and select Personal.

      Figure 27: Select store for certificate import

    7. Click Next and then Finish to complete the import process.

      Figure 28: Complete the certificate import wizard

      You should now see the new Fortanix certificates listed under Personal in the Certificates.

  5. Once the certificates are imported, run the repairstore command to repair both certificates using their thumbprints:

    PS C:\Users\adminguy.AUFTXTEST\Downloads\NDES-Certs> certutil  -csp "Fortanix KMS CSP" -f -repairstore My c20e9e60730862a4cc5db8d4e9259f41d5ae376c
My "Personal"
================ Certificate 2 ================
Serial Number: 13000000bcef1e1c5aa57684680000000000bc
Issuer: CN=auftxtest-NDES-CA-CA, DC=auftxtest, DC=local
 NotBefore: 7/3/2025 9:57 AM
 NotAfter: 7/3/2027 9:57 AM
Subject: CN=NDES-Server-2-MSCEP-RA, C=US
Certificate Template Name (Certificate Type): EnrollmentAgentOffline
Non-root Certificate
Template: EnrollmentAgentOffline, Exchange Enrollment Agent (Offline request)
Cert Hash(sha1): c20e9e60730862a4cc5db8d4e9259f41d5ae376c
  Key Container = tq-EnrollmentAgentOffline-688cc5c-13503
  Provider = Fortanix KMS CSP
Private key is NOT exportable
Signature test passed
CertUtil: -repairstore command completed successfully.



PS C:\Users\adminguy.AUFTXTEST\Downloads\NDES-Certs> certutil  -csp "Fortanix KMS CSP" -f -repairstore My 73e38592a36ee226d62391b34db6ef45c871ab8e
My "Personal"
================ Certificate 9 ================
Serial Number: 13000000bb52f4d93fdce3eab00000000000bb
Issuer: CN=auftxtest-NDES-CA-CA, DC=auftxtest, DC=local
 NotBefore: 7/3/2025 9:57 AM
 NotAfter: 7/3/2027 9:57 AM
Subject: CN=NDES-Server-2-MSCEP-RA, C=US
Certificate Template Name (Certificate Type): CEPEncryption
Non-root Certificate
Template: CEPEncryption, CEP Encryption
Cert Hash(sha1): 73e38592a36ee226d62391b34db6ef45c871ab8e
  Key Container = tq-CEPEncryption-e7b6da73-2a69-48-29286
  Provider = Fortanix KMS CSP
Private key is NOT exportable
ERROR: Could not verify certificate public key against private key
CertUtil: -repairstore command completed successfully.

  6. Ensure that the key icon is visible next to both certificates in the Local Machine certificate store, indicating that the private keys are correctly associated with the certificates.

    Figure 29: Verifying key association for new certificates

7.3 Restarting the NDES

Perform the following steps to restart the NDES service and access the configured URL:

  1. Run the following command with administrative privileges to restart the IIS (Internet Information Services), which will restart the NDES service:

    PS C:\Users\adminguy.AUFTXTEST\Downloads\NDES-Certs> iisreset

  2. The command will first stop the internet services, then restart them.

    The output may appear as follows:

    Attempting stop...
Internet services successfully stopped
Attempting start...
Internet services successfully restarted

    This confirms that the NDES service has been restarted successfully.

  3. After restarting the service, you can access the NDES UI using the configured URL in your web browser. Ensure that the URL is correctly set up in the NDES configuration to access the service through the web interface.

    Figure 30: Accessing NDES UI after restart

8.0 Validate SCEP Workflow with Open-Source Tool

To validate the SCEP workflow, you must use an open-source SCEP tool from GitHub - Certnanny/sscep. This tool mimics the overall SCEP workflow by sending a certificate request to NDES for signing by the CA and retrieving the signed certificate for authentication within the domain.

This section describes the steps to build the tool locally, as detailed on the GitHub page. Once the tool is successfully built, perform the following steps to test the SCEP workflow.

8.1 Generating a Private Key and CSR Request Using OpenSSL

Run the following commands to generate a private key and CSR using OpenSSL:

openssl genrsa -out priv.key 4096
openssl.exe req -config scep.cnf -new -key priv.key -out test.csr

The following is the sample configuration file (scep.cnf) to use with OpenSSL:

# OpenSSL configuration file for use with OpenSCEP
HOME        = OPENSCEPDIR
RANDFILE    = $ENV::HOME/.rnd
DIR         = OPENSCEPDIR
oid_section = scep_oids

[ca]
default_ca  = OpenSCEP

[OpenSCEP]
dir         = OPENSCEPDIR
certs       = $dir/certs
crl_dir     = $dir/crl
database    = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate  = $dir/cacert.pem
private_key  = $dir/cakey.pem
serial      = $dir/serial
crl         = $dir/crl.pem
RANDFILE    = $dir/.rnd

x509_extensions = scep_cert
default_md      = sha1
default_days    = 1827
default_crl_days = 10

[scep_oids]
messageType=2.16.840.1.113733.1.9.2
pkiStatus=2.16.840.1.113733.1.9.3
failInfo=2.16.840.1.113733.1.9.4
senderNonce=2.16.840.1.113733.1.9.5
recipientNonce=2.16.840.1.113733.1.9.6
transId=2.16.840.1.113733.1.9.7
extensionReq=2.16.840.1.113733.1.9.8
proxyAuthenticator=1.3.6.1.4.1.4263.5.5

[scep_cert]
basicConstraints = CA:FALSE
nsComment       = "OpenSCEP certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = digitalSignature, nonRepudiation, keyEncipherment

Figure 31: OpenSSL configuration for generating CSR

NOTE

For the challenge password, provide the enrollment challenge password in the NDES service URL. For example, https://servicename/certsrv/mscep_admin.

Figure 32: OpenSSL challenge password configuration

8.2. Fetching the Fortanix-Based RA and CA Certificates

Run the following command to fetch the RA and CA certificates from the NDES service:

./sscep.exe getca -u http://<servicename>/certsrv/mscep/ -c ca.crt

Figure 33: Fetching Fortanix-based RA and CA certificates

The command saves the fetched certificates using the names specified with the -c flag and appends an integer suffix:

  • ca.crt-0 refers to the Enrollment Agent RA Certificate.

  • ca.crt-1 refers to the CEP Encryption RA Certificate.

  • ca.crt-2 refers to the Certificate Authority Certificate.

8.3. Sending the Enrollment Request to NDES

Run the following command to send the enrollment request using the private key, CSR file, and CA certificates:

.\sscep.exe enroll -u http://<servicename>/certsrv/mscep/mscep.dll -k <private.key> -r <test.csr> -l <test.crt> -c <ca.crt>-0 -e <ca.crt>-1

Figure 34: Sending Enrollment Request to NDES

Where,

If the enrollment operation is completed successfully, you will receive the signed certificate (test.crt), which confirms that the SCEP integration is working as expected.

9.0 Troubleshooting NDES Service Errors

In case the NDES service is returning a 500 error, follow the steps below to check the logs:

  1. Event Viewer Logs:

    Navigate to Windows → Application Logs in the Event Viewer to check for any errors related to NDES.

  2. Additional Logs:

    For more detailed logs, navigate to Event Viewer → Applications and Services → Microsoft → Windows → CAPI2 to enable logging.

  3. Fortanix Logs:

    Check the Fortanix logs located in the C:\Windows\System32\config\systemprofile\AppData\Roaming\Fortanix\KmsClient directory.

    Alternatively, for logs associated with a specific user, check in the user appdata folder at C:\Users\<username>\AppData\Roaming\Fortanix directory.