02-20-2013 10:11 AM
OK, so perhaps I'm being dense, but how can I deploy a user certificate to a device via BDS? With UDS you can manually add the certificate within the user settings and it will be sent OTA to the device, but all I see in the BDS docs are references to SCEP.
Is SCEP the only way to get a user certificate provisioned via BDS?
If SCEP is the only way, or even the recommended way, does anyone have any documentation that might shed more light on how to configure it with a Microsoft CA? I find the BDS and UDS docs to be extremely vague in this regard and I'm admittedly not as familiar with the subject as I should be.
02-20-2013 10:47 AM - edited 02-20-2013 10:50 AM
Depends what kind of profile you are trying to associate it too. If you are trying to use a user cert with an EAS profile you will need SCEP. Microsoft's implementation of SCEP is NDES which is another role that is installed through the Server Manager in Windows. It can either be on your internal CA or on another host in your environment.
Microsoft has a good whitepaper that goes over setting it up: http://social.technet.microsoft.com/wiki/contents/
02-20-2013 11:06 AM
02-20-2013 11:24 AM
If it was a generic wifi certificate you could push it out to all your users through BDS by putting it in the certificates wifi folder in the BAS share.
It sounds like you need a different cert for every user and that would require a SCEP profile attached to the WIFI profile. One thing to note with BDS and SCEP is that the SCEP service must be configured for singlepassword. It currently doesn't support a dynamic challenge key.
03-26-2013 04:20 PM
As a follow-on on this, do we need a PKI service from a third party CA to do this? I've contacted a lot of CA's and they dont seem to understand what Im asking for.
03-27-2013 11:48 AM
You may use Microsoft CA and install NDES on it. See details in link below...