SCEP Requests appending pkiclient.exe to mscep.dll requests?

jbulloch · ‎08-16-2022

Good morning/day,

Attempting to deploy SCEP, using a url.. ""https://<ca>/certsrv/mscep/mscep.dll".

It fails HTTP under debug, https://<ca>/certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=<Trustpoint>"?

Where is the pkiclient.exe appended from? We are using for CA, Microsoft IIS. Under cgi-bin we do not have a pkiclient.exe.

Under cisco url (Simple Certificate Enrollment Protocol Overview - Cisco) It notes:

"

Requests are sent with an HTTP GET of the form :

GET CGI-path/pkiclient.exe?operation=operation&message=message HTTP/version

Where:

CGI-path is dependent on the server and points to the Common Gateway Interface (CGI) program that handles SCEP requests:
- Cisco IOS® CA uses an empty path string.
- Microsoft CA uses /certsrv/mscep/mscep.dll, which points to the MSCEP/ Network Device Enrollment Service (NDES) IIS service."

Do i need to have the pkiclient.exe also under cgi-bin? If anyone knows, it would be helpful.

Thank you.

Jimmywick · ‎08-16-2022

Before you can configure a network to obtain a client authentication certificate using SCEP, you must first define an Enrollment Network, which is the network (wired or wireless) over which the sensor will initially contact the SCEP server. You can create an Enrollment Network by going to Settings -> Networks and select Add. The Enrollment Network should not require a proxy.

After you have created an Enrollment Network, you can now create a network for the sensor to obtain client authentication certificates using SCEP by going to Settings -> Networks and select Add.