How to verify SCEP profile settings and NDES configuration requirements for BlackBerry Device Service.

Article ID: KB34857

Type: Support Content

Last Modified: 08-18-2014

 

Product(s) Affected:

  • Porsche Design P'9982 Smartphone from BlackBerry
  • Z30
  • Z10
  • Q10
  • Q5
  • BlackBerry Enterprise Service 10
CollapseEnvironment
  • BlackBerry Device Service
CollapseOverview

When configuring a Simple Certificate Enrollment Protocol (SCEP) profile settings within the BlackBerry Device Service console, it is recommended to review that the following settings have been set correctly for a successful enrollment with the BlackBerry 10 smartphone.

SCEP profiles can be assigned to an Email Profile, Wi-Fi Profile and VPN Profile. Commonly, the certificate distributed using the SCEP Protocol is used for authentication purposes without the requirement of entering a username and password or for an additional layer of security on top of their existing credential requirements.

SCEP is the protocol designed in issuing and revoking certificates, Network Device Enrollment Service (NDES) is the service implemented in Microsoft’s Server software to deploy certificates to smartphones in the environment.

If a certificate is manually imported into a BlackBerry 10 smartphone using the steps in KB26515, the certificate cannot be associated with an Email Profile and cannot be used for authentication purposes. An SCEP profile must be configured and associated to the Email Profile for certificate authentication to work correctly.

CollapseAdditional Information

Verification of the information required for the SCEP profile can be done using the following tasks:

  1. Confirm the NDES and SCEP URL for enrollment of BlackBerry 10 smartphones.
  2. Confirm the Certificate Thumbprint is set to the correct value.
  3. Confirm the key algorithm, RSA strength, and hash function matches the certificate being issued.
  4. Find the certification authority challenge password.
  5. Confirm if the Single Password registry key change has been set.
  6. Confirm the correct Certification Authority Identifier value.

 
Task 1

Confirm the NDES and SCEP URL for enrollment of BlackBerry 10 smartphones.
 
Note: The URL for NDES must follow the format http://<FQDN of NDES Server>/certsrv/mscep/mscep.dll
 
This page must be accessible by the web browser on the BlackBerry Enterprise Service 10 server. Verify this by entering the example URL above with the correct FQDN of the server hosting the NDES server. The page will load with the text:
 
Network Device Enrollment Service allows you to obtain certificates for routers or other network devices using the Simple Certificate Enrollment Protocol (SCEP). This URL is used by network devices to submit certificate requests.
 
Note: If the URL is set to the administration page (http://<FQDN of NDES Server>/certsrv/mscep_admin), for enrollment of BlackBerry 10 smartphones, it will not work.

 
Task 2

Confirm the Certificate Thumbprint is set to the correct value.

Open the NDES Administration page using the example URL to verify the Certificate Thumbprint which will be shown on the page:

http://<FQDN of NDES Server>/certsrv/mscep_admin

 
Task 3

Confirm the key algorithm, RSA strength, and hash function matches the certificate being issued.

  1. Open the Certificate MMC on the NDES server.
  2. Select Computer account, click Next. Select Local Computer, then Finish.
  3. Click OK and expand the Personal folder > Certificates.
  4. Find the certificate that is using the CEP Encryption template in the Certificate Template column.
  5. Double click the certificate that matches the CEP Encryption template and select the Details tab.
  6. To confirm the key algorithm, select the Signature Algorithm field and use the value specified in the SCEP profile settings. For example, if the value says sha1RSA, select RSA from the drop-down list in the profile.
  7. For the Hash Function field in the SCEP profile, use the value in the Signature hash algorithm field.
  8. Select the Public key field on the list and verify the RSA strength (usually 1024 or 2048).
  9. Ensure this value matches what is used in the SCEP profile settings for RSA Strength.
  10. Confirm all fields are correctly entered on the SCEP profile and select Save all.

 
Task 4

Find the certification authority challenge password.

This password is acquired by accessing http://<FQDN of NDES Server>/certsrv/mscep_admin and is used within the SCEP Profile. 

Note: BlackBerry Device Service does not support challenge password expiry. If This password can be used only once and will expire within 60 minutes. is shown on this page, the registry key must be modified as outlined in step 5.

 
Task 5

Confirm if the Single Password registry key change has been set.

This registry key must be set to stop the challenge password from expiring. If this registry key is not set, the profile will not push to the device if the challenge password does not match the value on the NDES server. By default it will be set for 60 minutes, however, it must be set to never change or expire.

To enable this feature, create the following registry entry:

Warning: System/database changes could potentially result in irreparable damage. Prior to making any system/database changes it is recommended that you perform a system/database backup.

Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\UseSinglePassword
Name: UseSinglePassword
Type: REG_DWORD
Decimal Value: 1

The above steps are in reference to Microsoft Support article 959193.

Note: The hotfix is not required if NDES is on Server 2008 SP2 or 2008 R2.

 
Task 6

Confirm the correct Certification Authority Identifier value.

This field should always be set even though the value is optional in the profile. The identifier is typically the name of the Certificate Authority or the local server hosting the Certificate Authority in the environment. Verification of the Certificate Authority Identifier can be done using these steps on the server that hosts NDES:

  1. Click Start > Run
  2. Type MMC and click OK.
  3. Click File Add/Remove Snap-in...
  4. Select Certificates and click Add.
  5. Select the Computer account option and click Next.
  6. Select Local computer and click Finish.
  7. Expand Certificates (Local Computer) > Personal > Certificates.
  8. Verify and select one of the certificates on the screen where the Intended Purposes column lists Certificate Request Agent
  9. Make note of the Issued To column of the certificate (for example, NAME-MSCEP-RA). Use this value in the Certificate Authority Identifier field in the SCEP profile.

Alternatively, verify the Certificate Authority Identifier by accessing http://<CA FQDN>/certsrv and checking the name followed by Microsoft Active Directory Certificate Services –, in the green ribbon.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.