---
title: "Fortanix DSM with Microsoft Network Device Enrollment Service"
slug: "using-fortanix-data-security-manager-with-microsoft-network-device-enrollment-service"
updated: 2026-04-17T16:44:18Z
published: 2026-04-17T16:44:18Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Fortanix DSM with Microsoft Network Device Enrollment Service

## 1.0 Introduction

This article describes how to integrate **Fortanix Data Security Manager (DSM)**with **Microsoft Network Device Enrollment Service (NDES)**using the **Fortanix Key Management Service (KMS) Cryptographic Service Provider (CSP)**. This integration replaces the default or existing CSP on NDES server with the Fortanix CSP Provider, a secure, hardware-grade key management solution.

NDES is a role service of Active Directory Certificate Services (AD CS) that acts as a Registration Authority. It allows software on routers and other network devices without domain credentials to obtain certificates through the Simple Certificate Enrollment Protocol (SCEP). By storing private keys in Fortanix DSM you can improve the security, control, and auditability of the certificate issuance process. *For more information on the service and configuration steps, refer to the official Microsoft documentation at*[*NDES Overview*](https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/network-device-enrollment-service-overview)*.*

This article also contains the information that a user requires to:

- Install the Fortanix KMS CSP Provider on the NDES Server
- Configure the NDES Service with the Fortanix KMS CSP Provider
- Migrate to Fortanix KMS CSP if NDES is already configured with another CSP
- Test the SCEP Workflow using an open-source SCEP tool
- Troubleshoot common issues

> [!NOTE]
> NOTE
> 
> This document does not cover the configuration of NDES with Microsoft Intune or any other SCEP tools. An open-source SCEP tool will be used exclusively to validate the overall SCEP workflow.

## 2.0 Prerequisites

Ensure the following:

- Windows Server 2019 with Microsoft AD CS role is installed.
- NDES server installed and running with admin privileges.
- Fortanix DSM is accessible. *For more information, refer to*[*Section 4.1: Signing Up*](/v1/docs/using-fortanix-data-security-manager-with-microsoft-network-device-enrollment-service#41-signing-up)*and*[*Section 4.2: Creating an Account*](/v1/docs/using-fortanix-data-security-manager-with-microsoft-network-device-enrollment-service#42-creating-an-account)*.*
- Fortanix CNG provider (also contains CSP). *Download the latest version from*[*here*](https://cng/EKM).

## 3.0 Product Version Tested

The following product versions were tested:

- Fortanix DSM version 4.34 or later
- Fortanix CNG Provider 5.1
- Windows Server 2019
- Microsoft AD CS with NDES role

## 4.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

### 4.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, [https://amer.smartkey.io.](https://amer.smartkey.io.) On-premises customers use the KMS URL, and the SaaS customers can use the URLs as listed [*here*](https://support.fortanix.com/hc/en-us/articles/4406135346068-Fortanix-DSM-SaaS-Global-Availability-Map) based on the application region.

*For more information on how to set up the Fortanix DSM, refer to the*[*User's Guide: Sign Up for Fortanix Data Security Manager SaaS*](https://support.fortanix.com/docs/users-guide-sign-up-for-fortanix-data-security-manager-saas)*.*

### 4.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_SaaS_Login_page(15).png)

**Figure 1: Logging in**

*For more information on how to set up an account in Fortanix DSM, refer to the*[*User's Guide: Getting Started with Fortanix Data Security Manager - UI*](https://support.fortanix.com/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.*

### 4.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Groups**menu item, and then click **ADD GROUP** to create a new group.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_Add_Group(10).png)

**Figure 2: Add groups**
2. On the**Adding new group**page:
  1. **Title**: Enter a name for your group.
  2. **Description**(optional): Enter a short description of the group.
3. Click **SAVE**to create the new group.

The new group is added to the Fortanix DSM successfully.

### 4.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Apps**menu item, and then click **ADD APP** to create a new app.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-App(34).png)

**Figure 3: Add application**
2. On the **Adding new app**page:
  1. **App name**: Enter the name for your application.
  2. **ADD DESCRIPTION**(optional): Enter a short description of the application.
  3. **Authentication method**: Select the default **API Key**as the authentication method from the drop down menu. *For more information on these authentication methods, refer to the*[*User's Guide: Authentication*](https://support.fortanix.com/docs/users-guide-authentication)*.*
  4. **Assigning the new app to groups**: Select the group created in [*Section 4.3: Creating a Group*](/v1/docs/using-fortanix-data-security-manager-with-microsoft-network-device-enrollment-service#43-creating-a-group)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#43-creating-a-group)from the list.
3. Click **SAVE**to add the new application.

The new application is added to the Fortanix DSM successfully.

### 4.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. In the DSM left navigation panel, click the **Apps**menu item, and then click the app created in [*Section 4.4: Creating an Application*](/v1/docs/using-fortanix-data-security-manager-with-microsoft-network-device-enrollment-service#44-creating-an-application)**to go to the detailed view of the app.
2. On the **INFO**tab, click **VIEW API KEY DETAILS**.
3. From the **API Key Details**dialog box, copy the **API Key**of the app to use in**[*Section 5.2: Configuring the Fortanix CNG Client*](/v1/docs/using-fortanix-data-security-manager-with-microsoft-network-device-enrollment-service#52-configuring-the-fortanix-cng-client)*.*

## 5.0 Fortanix CNG Provider

The Fortanix CNG Provider must be installed on every target machine.*For more information, refer to*[*Section 2.0: Prerequisites*](/v1/docs/using-fortanix-data-security-manager-with-microsoft-network-device-enrollment-service#20-prerequisites)*.*

`FortanixKmsClient.msi` installs the Fortanix CNG Provider, as well as an EKM provider and the PKCS#11 library. Next, to configure the CNG client, Fortanix CNG Provider communicates with Fortanix DSM for cryptographic operations.

### 5.1 Installing the Fortanix CNG Client on NDES Server

Perform the following steps to complete the installation on your machine:

1. Click the `.msi` file to start the Fortanix KMS client installation.
2. On the **Fortanix KMS Client Setup** dialog box, click **Next**.

![Image1.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18994870228244.png)

**Figure 4: Fortanix KMS client setup**
3. Select the check box for **I accept the terms in the License Agreement** and click **Next**.

![Image2.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18994870229396.png)

**Figure 5: Fortanix KMS client setup**
4. Enter the location for installing the**Fortanix KMS Client**. For example, `C:\Program Files\Fortanix\KMS Client\`.

![Image3.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18994917310228.png)

**Figure 6: Fortanix KMS client setup**
5. Click **Install**to install the Fortanix KMS client.

![Image4.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18994917311252.png)

**Figure 7: Fortanix KMS client setup**
6. After the installation is done, click **Finish**.

![Image5.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/18994917312276.png)

**Figure 8: Fortanix KMS client setup**

### 5.2 Configuring Fortanix CNG Client

The Fortanix KMS Server URL and proxy information are configured in the Windows registry for the local machine or the current user.

1. Run the following command to navigate to `FortanixKmsClientConfig.exe` file:

```bash
cd C:\Program Files\Fortanix\KmsClient\
```

The machine key store uses the local machine configuration, and the user key store uses the current user configuration.
2. Run the following command to configure the Fortanix DSM Server URL for the following:
  - **Local Machine**:

```bash
FortanixKmsClientConfig.exe machine --api-endpoint <DSM_endpoint_URL>
```

Where, `&lt;DSM_endpoint_URL&gt;` is the Fortanix DSM URL. On-premises customers use the DSM URL and SaaS customers can use the URLs based on the region. DSM SaaS supports multiple regions, as listed [*here*](https://support.fortanix.com/docs/fortanix-dsm-saas-global-availability-map).

For example,

```bash
FortanixKmsClientConfig.exe machine --api-endpoint https://<fortanix_dsm_url>
```
  - **Current user**:

```bash
FortanixKmsClientConfig.exe user --api-endpoint <DSM_endpoint_URL>
```

To configure proxy information, add `--proxy http://proxy.com` or `--proxy none` to unconfigure proxy.
3. Run the following command to configure the API key as copied in [*Section 4.5: Copying the API Key*](/v1/docs/using-fortanix-data-security-manager-with-microsoft-network-device-enrollment-service#46-copying-the-api-key):
  - **Local Machine**:

```bash
FortanixKmsClientConfig.exe machine --api-key <key>
```
  - **User key store**:

```bash
FortanixKmsClientConfig.exe user --api-key <key>
```

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Figure 9.png)

**Figure 9: Configuring the Fortanix KMS client**

## 6.0 Configure NDES Service with Fortanix KMS CSP Provider

After configuring the Fortanix CNG provider, the next step is to integrate it into the NDES role configuration. This ensures that the NDES uses Fortanix as its CSP instead of any other CSP provider.

Assuming that the NDES Service is already installed, perform the following steps to set up the NDES service with Fortanix KMS CSP provider:

1. Open the **Server Manager** on the NDES server.
2. On the **Server Manager** window, click **Post Deployment Configuration**,
  1. On the **Credentials**screen, enter the required credentials.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Figure 10.png)

**Figure 10: Configuring credentials in server manager**
  2. Click **Next**.
  3. On the **Role Services**screen, select the **Network Device Enrollment Service**check box.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Figure 11.png)

**Figure 11: Selecting network device enrollment service**
  4. Click **Next**.
  5. On the **Service Account for NDES** screen, browse and select the service account that belongs to the **IIS_IUSRS** group. *For more information on how to create this user, refer to the Microsoft documentation at*[*Configure Network Device Enrollment Service to use a domain user account*](https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/create-domain-user-account-ndes-service-account)*.*

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Figure 12.png)

**Figure 12: Selecting service account for NDES**
  6. Click **Next**.
  7. On the**CA for NDES**screen, browse and select your **Certificate Authority (CA) name**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Figure 13.png)

**Figure 13: Selecting certificate authority for NDES**
  8. Click **Next**.
  9. On the **RA Information** screen, enter the **RA name**, select the **Country/Region** from the drop down menu and enter the **Optional Information**as required. This will be used in registration authority (RA) certificates.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Figure 14.png)

**Figure 14: Entering RA information for NDES**
  10. Click **Next**.
  11. On the **Cryptography for NDES**screen, select **Fortanix KMS CSP**from the list of available providers.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Figure 15.png)

**Figure 15: Selecting Fortanix KMS CSP**
  12. Click **Next**.
  13. On the **Confirmation**screen, review the summary.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Figure 16.png)

**Figure 16: Confirmation screen**
  14. Click **Configure**to configure the roles, role services, or features.
  15. On the **Results**screen, verify that the configuration completed successfully and that no errors are reported.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Figure 17.png)

**Figure 17: Results screen**
  16. Click **Close**to exit the configuration wizard.
3. Once configured, navigate to the Local Machine certificate store, where you should see two new certificates.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Figure 18.png)

**Figure 18: Viewing new certificates in local machine certificate store**
4. The corresponding private keys for these certificates will be created in Fortanix DSM.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1768775738359.png)

**Figure 19: Private keys for new certificates**
5. Finally, access the NDES service using the user interface (UI) using your configured URL.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Figure 19(1).png)

**Figure 20: Accessing NDES service**

## 7.0 Migrate NDES to Fortanix KMS CSP from Another Provider

This section describes the steps to migrate an already configured NDES, whether using Microsoft or another CSP provider, to Fortanix DSM.

### 7.1 Regenerating RA Certificates with Keys in Fortanix DSM

Perform the following steps to regenerate the RA certificates along with their keys stored in Fortanix DSM:

1. Run the following command to create the INF files for Certified Encryption Provider (CEP) Encryption and Exchange Enrollment Agent:

Using these INF files, the keys will be generated in Fortanix DSM without export permission, ensuring that the private keys remain securely stored within Fortanix DSM.
  - Sample `.inf` for CEP Encryption:

```bash
[Version]
Signature="$Windows NT$"

[NewRequest] 
Subject = "C=US, CN=NDES-Server-2-MSCEP-RA"
Exportable = FALSE
KeyLength = 2048
KeySpec = 1 
KeyUsage = 0x80 
MachineKeySet = TRUE 
ProviderName = "Fortanix KMS CSP" 
ProviderType = 24

[EnhancedKeyUsageExtension] 
OID = 1.3.6.1.4.1.311.20.2.1

[RequestAttributes]
CertificateTemplate = CEPEncryption
```
  - Sample `.inf` for Exchange Enrollment Agent:

```bash
[Version]
Signature="$Windows NT$"

[NewRequest] 
Subject = "C=US, CN=NDES-Server-2-MSCEP-RA"
Exportable = FALSE
KeyLength = 2048
KeySpec = 2 
KeyUsage = 0x80 
MachineKeySet = TRUE
ProviderName = "Fortanix KMS CSP" 
ProviderType = 24

[EnhancedKeyUsageExtension] 
OID = 1.3.6.1.4.1.311.20.2.1

[RequestAttributes]
CertificateTemplate = EnrollmentAgentOffline
```
2. Once the INF files are ready, run the following PowerShell commands to generate the key and Certificate Signing Request (CSR) requests:

```bash
PS C:\Users\adminguy.AUFTXTEST\Downloads\NDES-Certs> certreq -new encryption.inf encryption-2025
Active Directory Enrollment Policy
  {FBF5B06D-DD19-44BB-BBC8-0F7E717474D6}
  ldap:

CertReq: Request Created

PS C:\Users\adminguy.AUFTXTEST\Downloads\NDES-Certs> certreq -new signature.inf signature-2025
Active Directory Enrollment Policy
  {FBF5B06D-DD19-44BB-BBC8-0F7E717474D6}
  ldap:
Machine context template conflicts with user context.

CertReq: Request Created
```

These commands will generate the CSR requests, and the associated keys will be created in Fortanix DSM, ensuring that the certificates are securely linked to the Fortanix KMS CSP.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1768775752691.png)

**Figure 21: Security object created**

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1768775767487.png)

**Figure 22: Audit logs**
3. Run the following commands to retrieve the certificates from CA for these certificate requests:

```bash
PS C:\Users\adminguy.AUFTXTEST\Downloads\NDES-Certs> certreq -submit encryption-2025 encryption-2025.crt
Active Directory Enrollment Policy
  {FBF5B06D-DD19-44BB-BBC8-0F7E717474D6}
  ldap:
RequestId: 187
RequestId: "187"
Certificate retrieved(Issued) Issued
PS C:\Users\adminguy.AUFTXTEST\Downloads\NDES-Certs> certreq -submit signature-2025 signature-2025.crt
Active Directory Enrollment Policy
  {FBF5B06D-DD19-44BB-BBC8-0F7E717474D6}
  ldap:
RequestId: 188
RequestId: "188"
Certificate retrieved(Issued) Issued
```

### 7.2 Replacing Existing RA Certificates with Fortanix-Based RA Certificates

Perform the following steps to replace the existing RA certificates with the newly generated Fortanix DSM key-based certificates in the Local Machine certificate store:

1. Export the existing RA certificates from the Local Machine certificate store to the file system as a backup.
  1. In the Certificates, navigate to **Local Computer** → **Personal**→ **Certificates**.
  2. Locate the **RA certificate** you want to export, right-click it, and select **All Tasks** → **Export**.
2. In the **Certificate Export Wizard**,
  1. Select **Yes, export the private key**.
  2. Select **PFX**(Personal Information Exchange) format.
  3. Set a password if needed.
  4. Save the exported certificate in a secure location.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Figure 23.png)

**Figure 23: Exporting existing RA certificates**
3. Remove the existing RA certificates from the Local Machine certificate store to prepare for the new certificates.
  1. In the **Certificates**, go to**Local Computer**→ **Personal**→ **Certificates**.
  2. Find the **RA certificate** that you want to remove, right-click it and select **Delete**.
  3. Confirm the deletion when prompted to remove it from the certificate store.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Figure 24.png)

**Figure 24: Deleting existing RA certificates**
4. Import the Fortanix key-based certificates, generated in the previous steps, into the Local Machine certificate store one by one.
  1. In the **Certificates**, navigate to **Local Computer** → **Personal**→ **Certificates**.
  2. Right-click **Certificates**to launch the **Certificate Import Wizard**and click **Install Certificate…** to browse to the location where you saved the **Fortanix key-based certificates** and upload the certificate.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Figure 25.png)

**Figure 25: Select Fortanix certificate file for import**
  3. Click **OK**.
  4. On the next screen, select**Local Machine** for all certificates in your local machine.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Figure 26.png)

**Figure 26: Select the system area for certificate import**
  5. Click **Next**.
  6. Select **Place all certificates in the following store** option and then browse and select **Personal**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Figure 27.png)

**Figure 27: Select store for certificate import**
  7. Click **Next**and then **Finish**to complete the import process.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Figure 28.png)

**Figure 28: Complete the certificate import wizard**

You should now see the new Fortanix certificates listed under **Personal**in the **Certificates**.
5. Once the certificates are imported, run the `repairstore` command to repair both certificates using their thumbprints:

```bash
PS C:\Users\adminguy.AUFTXTEST\Downloads\NDES-Certs> certutil  -csp "Fortanix KMS CSP" -f -repairstore My c20e9e60730862a4cc5db8d4e9259f41d5ae376c
My "Personal"
================ Certificate 2 ================
Serial Number: 13000000bcef1e1c5aa57684680000000000bc
Issuer: CN=auftxtest-NDES-CA-CA, DC=auftxtest, DC=local
 NotBefore: 7/3/2025 9:57 AM
 NotAfter: 7/3/2027 9:57 AM
Subject: CN=NDES-Server-2-MSCEP-RA, C=US
Certificate Template Name (Certificate Type): EnrollmentAgentOffline
Non-root Certificate
Template: EnrollmentAgentOffline, Exchange Enrollment Agent (Offline request)
Cert Hash(sha1): c20e9e60730862a4cc5db8d4e9259f41d5ae376c
  Key Container = tq-EnrollmentAgentOffline-688cc5c-13503
  Provider = Fortanix KMS CSP
Private key is NOT exportable
Signature test passed
CertUtil: -repairstore command completed successfully.

PS C:\Users\adminguy.AUFTXTEST\Downloads\NDES-Certs> certutil  -csp "Fortanix KMS CSP" -f -repairstore My 73e38592a36ee226d62391b34db6ef45c871ab8e
My "Personal"
================ Certificate 9 ================
Serial Number: 13000000bb52f4d93fdce3eab00000000000bb
Issuer: CN=auftxtest-NDES-CA-CA, DC=auftxtest, DC=local
 NotBefore: 7/3/2025 9:57 AM
 NotAfter: 7/3/2027 9:57 AM
Subject: CN=NDES-Server-2-MSCEP-RA, C=US
Certificate Template Name (Certificate Type): CEPEncryption
Non-root Certificate
Template: CEPEncryption, CEP Encryption
Cert Hash(sha1): 73e38592a36ee226d62391b34db6ef45c871ab8e
  Key Container = tq-CEPEncryption-e7b6da73-2a69-48-29286
  Provider = Fortanix KMS CSP
Private key is NOT exportable
ERROR: Could not verify certificate public key against private key
CertUtil: -repairstore command completed successfully.
```
6. Ensure that the**key icon** is visible next to both certificates in the Local Machine certificate store, indicating that the private keys are correctly associated with the certificates.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Figure 34.png)

**Figure 29: Verifying key association for new certificates**

### 7.3 Restarting the NDES

Perform the following steps to restart the NDES service and access the configured URL:

1. Run the following command with administrative privileges to restart the **IIS (Internet Information Services)**, which will restart the NDES service:

```bash
PS C:\Users\adminguy.AUFTXTEST\Downloads\NDES-Certs> iisreset
```
2. The command will first stop the internet services, then restart them.

The output may appear as follows:

```bash
Attempting stop...
Internet services successfully stopped
Attempting start...
Internet services successfully restarted
```

This confirms that the NDES service has been restarted successfully.
3. After restarting the service, you can access the NDES UI using the configured URL in your web browser. Ensure that the URL is correctly set up in the NDES configuration to access the service through the web interface.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Figure 29.png)

**Figure 30: Accessing NDES UI after restart**

## 8.0 Validate SCEP Workflow with Open-Source Tool

To validate the SCEP workflow, you must use an open-source SCEP tool from [GitHub - Certnanny/sscep](https://github.com/certnanny/sscep). This tool mimics the overall SCEP workflow by sending a certificate request to NDES for signing by the CA and retrieving the signed certificate for authentication within the domain.

This section describes the steps to build the tool locally, as detailed on the GitHub page. Once the tool is successfully built, perform the following steps to test the SCEP workflow.

### 8.1 Generating a Private Key and CSR Request Using OpenSSL

Run the following commands to generate a private key and CSR using OpenSSL:

```bash
openssl genrsa -out priv.key 4096
openssl.exe req -config scep.cnf -new -key priv.key -out test.csr
```

The following is the sample configuration file (`scep.cnf`) to use with OpenSSL:

```bash
# OpenSSL configuration file for use with OpenSCEP
HOME        = OPENSCEPDIR
RANDFILE    = $ENV::HOME/.rnd
DIR         = OPENSCEPDIR
oid_section = scep_oids

[ca]
default_ca  = OpenSCEP

[OpenSCEP]
dir         = OPENSCEPDIR
certs       = $dir/certs
crl_dir     = $dir/crl
database    = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate  = $dir/cacert.pem
private_key  = $dir/cakey.pem
serial      = $dir/serial
crl         = $dir/crl.pem
RANDFILE    = $dir/.rnd

x509_extensions = scep_cert
default_md      = sha1
default_days    = 1827
default_crl_days = 10

[scep_oids]
messageType=2.16.840.1.113733.1.9.2
pkiStatus=2.16.840.1.113733.1.9.3
failInfo=2.16.840.1.113733.1.9.4
senderNonce=2.16.840.1.113733.1.9.5
recipientNonce=2.16.840.1.113733.1.9.6
transId=2.16.840.1.113733.1.9.7
extensionReq=2.16.840.1.113733.1.9.8
proxyAuthenticator=1.3.6.1.4.1.4263.5.5

[scep_cert]
basicConstraints = CA:FALSE
nsComment       = "OpenSCEP certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
```

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Figure 30.png)

**Figure 31: OpenSSL configuration for generating CSR**

> [!NOTE]
> NOTE
> 
> For the challenge password, provide the enrollment challenge password in the NDES service URL. For example, [https://servicename/certsrv/mscep_admin](https://servicename/certsrv/mscep_admin).

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Figure 31.png)

**Figure 32: OpenSSL challenge password configuration**

### 8.2. Fetching the Fortanix-Based RA and CA Certificates

Run the following command to fetch the RA and CA certificates from the NDES service:

```bash
./sscep.exe getca -u http://<servicename>/certsrv/mscep/ -c ca.crt
```

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Figure 32.png)

**Figure 33: Fetching Fortanix-based RA and CA certificates**

The command saves the fetched certificates using the names specified with the `-c` flag and appends an integer suffix:

- `ca.crt-0` refers to the Enrollment Agent RA Certificate.
- `ca.crt-1` refers to the CEP Encryption RA Certificate.
- `ca.crt-2` refers to the Certificate Authority Certificate.

### 8.3. Sending the Enrollment Request to NDES

Run the following command to send the enrollment request using the private key, CSR file, and CA certificates:

```bash
.\sscep.exe enroll -u http://<servicename>/certsrv/mscep/mscep.dll -k <private.key> -r <test.csr> -l <test.crt> -c <ca.crt>-0 -e <ca.crt>-1
```

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Figure 33.png)

**Figure 34: Sending Enrollment Request to NDES**

Where,

- `&lt;servicename&gt;`: Refers to the URL of the NDES service you want to send the enrollment request to, as copied in [*Section 6.0: Configure NDES Service with Fortanix KMS CSP Provider*](/v1/docs/using-fortanix-data-security-manager-with-microsoft-network-device-enrollment-service#60-configure-ndes-service-with-fortanix-kms-csp-provider).
- `&lt;private.key&gt;`: Refers to the private key file created in the[](/v1/docs/using-fortanix-data-security-manager-with-microsoft-network-device-enrollment-service#71-regenerating-ra-certificates-with-keys-in-fortanix-dsm)[*Section 8.1: Generating a Private Key and CSR Request Using OpenSSL*](/v1/docs/using-fortanix-data-security-manager-with-microsoft-network-device-enrollment-service#81-generating-a-private-key-and-csr-request-using-openssl).
- `&lt;test.csr&gt;`: Refers to the certificate signing request (CSR) file generated in the [*Section 8.1: Generating a Private Key and CSR Request Using OpenSSL*](/v1/docs/using-fortanix-data-security-manager-with-microsoft-network-device-enrollment-service#81-generating-a-private-key-and-csr-request-using-openssl).
- `&lt;test.crt&gt;`: Refers to the file where the enrolled certificate will be saved after the enrollment process is complete as generated in the [*Section 8.3: Sending the Enrollment Request to NDES*](/v1/docs/using-fortanix-data-security-manager-with-microsoft-network-device-enrollment-service#83-sending-the-enrollment-request-to-ndes).
- `&lt;ca.crt&gt;-0`: Refers to the Enrollment Agent RA certificate, fetched from the NDES service in the [*Section 8.2: Fetching the Fortanix-Based RA and CA Certificates*](/v1/docs/using-fortanix-data-security-manager-with-microsoft-network-device-enrollment-service#82-fetching-the-fortanixbased-ra-and-ca-certificates).
- `&lt;ca.crt&gt;-1`: Refers to the CEP Encryption RA certificate, also fetched from the NDES service in the [*Section 8.2: Fetching the Fortanix-Based RA and CA Certificates*](/v1/docs/using-fortanix-data-security-manager-with-microsoft-network-device-enrollment-service#82-fetching-the-fortanixbased-ra-and-ca-certificates).

If the enrollment operation is completed successfully, you will receive the signed certificate (`test.crt`), which confirms that the SCEP integration is working as expected.

## 9.0 Troubleshooting NDES Service Errors

In case the NDES service is returning a **500**error, follow the steps below to check the logs:

1. **Event Viewer Logs**:

Navigate to **Windows**→ **Application Logs**in the **Event Viewer**to check for any errors related to NDES.
2. **Additional Logs**:

For more detailed logs, navigate to **Event Viewer**→ **Applications and Services**→ **Microsoft**→ **Windows**→ **CAPI2**to enable logging.
3. **Fortanix Logs**:

Check the **Fortanix logs**located in the `C:\Windows\System32\config\systemprofile\AppData\Roaming\Fortanix\KmsClient` directory.

Alternatively, for logs associated with a specific user, check in the `user appdata` folder at `C:\Users\&lt;username&gt;\AppData\Roaming\Fortanix` directory.