For general instructions on installing the Certificate Registration Point role, see SCEP certificate enrolling using ConfigMgr 2012, CRP, NDES and Windows Intune. If you have some weird and obscure errors, then this post might help.
Certificate Registration Point Installation
According to the lack of instructions on TechNet, Microsoft assumes you have configured your server for PKI if you want to install a Certificate Registration Point. At the very least you will need to configure the Default Web Site on the site server with port 443 and assign a server certificate that has the FQDN of the server as the common name or SAN. As far as I can tell the absolute minimum you need is:
- Server Authentication certificate with the common name set to the internal FQDN of the site server;
- Client Authentication certificate with the common name set to the internal FQDN of the site server.
If you have the ability or inclination to combine these certificates, that is supported. It’s important to note that Configuration Manager does not support Cryptography Next Generation (CNG) which is referred to as a Windows 2008 template in a Windows Certificate Authority. Certificates must be based on the Windows 2003 template which uses the Cryptographic Services Provider (CSP). See PKI Certificate Requirements for Configuration Manager for more information.
According to a TechNet blog article, when a Certificate Registration Point is successfully configured there will be an event in Crpctrl.log indicating the status is 0 – Online:
CRP's previous status was 0 (0 = Online, 1 = Failed, 4 = Undefined)
When the certificate is in the wrong format (CNG instead of CSP), I was receiving the following errors in Crpctrl.log:
Failed in CryptAcquireCertificatePrivateKey(...): 0x80090014 There are no certificate(s) that meet the criteria. Certificate [Thumbprint ] issued to 'server.internal' doesn't have private key or associated private key cannot be accessed.
Certificate Registration Fails
Even after successfully getting my Certificate Registration Point online, certificates were still not being processed by NDES. Mscep.log on the NDES server showed:
0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
This error could be caused by a number of reasons, but for me changing the SSL Settings on the CMCertificateRegistration virtual directory on the primary server to ignore client certificates worked.