Wiki source code of RangeeOS - Mit SCEP ein Computer-Benutzerzertifikat beziehen
Last modified by Tobias Wintrich on 2026/02/09 12:37
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | The following guide describes how to configure a client with RangeeOS so that it requests a certificate from a certificate server via SCEP (Simple Certificate Enrollment Protocol). | ||
| 2 | |||
| 3 | {{info}} | ||
| 4 | ==== Last successfully tested with: ==== | ||
| 5 | |||
| 6 | **Client versions:** | ||
| 7 | |||
| 8 | firmware x64 - 13.00 build 073 | ||
| 9 | |||
| 10 | **Server versions:** | ||
| 11 | |||
| 12 | Windows Server 2019 with Active Directory Certificate Services | ||
| 13 | {{/info}} | ||
| 14 | |||
| 15 | Certificates issued via **SCEP** can be used, for example, for authentication against a WLAN RADIUS server or in an 802.1X network. | ||
| 16 | |||
| 17 | The following guide describes the configuration of the client. The specified values may vary depending on the certificate infrastructure. | ||
| 18 | |||
| 19 | == Strong Certificate Binding == | ||
| 20 | |||
| 21 | Since February 2025, all computer certificates that authenticate against a Windows Network Policy Server must meet the requirements for Strong Certificate Binding (source: [[Microsoft>>https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16]]). Until September 2025, enforcement of this requirement can still be postponed by setting the following registry key: | ||
| 22 | |||
| 23 | {{{Key: HKLM:\SYSTEM\CurrentControlSet\Services\Kdc | ||
| 24 | Name: StrongCertificateBindingEnforcement | ||
| 25 | Type: DWORD | ||
| 26 | Value: 1}}} | ||
| 27 | |||
| 28 | In summary, the following requirements must be met: | ||
| 29 | |||
| 30 | * The computer to which the certificate belongs must be a member of the domain. | ||
| 31 | * The certificate must contain the extension **1.3.6.1.4.1.311.25.2**. The **ObjectSID** of the computer account must be encoded in it. | ||
| 32 | * The **ObjectSID** must match the hostname selected for the certificate. | ||
| 33 | |||
| 34 | To meet these requirements under RangeeOS, you can join your devices to your domain via **Active Directory → Workstation Login**. If a client is a member of the domain, the option **“Set computer SID as Subject Alternative Name”** is unlocked in the **SCEP** configuration. A subsequently requested certificate will then contain the new extension. | ||
| 35 | |||
| 36 | {{info}} | ||
| 37 | The option **Set computer SID as Subject Alternative Name** is only available starting with firmware x64 13.00 build 073. | ||
| 38 | {{/info}} | ||
| 39 | |||
| 40 | (% class="wikigeneratedid" %) | ||
| 41 | [[image:scep01.png||height="515" width="400"]] | ||
| 42 | |||
| 43 | == Configuration == | ||
| 44 | |||
| 45 | The **SCEP** configuration is located in the **Kommbox** of **RangeeOS** under **System** (formerly **Tools**) → **SCEP**: | ||
| 46 | |||
| 47 | * **Enable SCEP:** must be enabled | ||
| 48 | * **SCEP Server URL:** http:~/~/FQDN/certsrv/mscep/mscep.dll | ||
| 49 | * **SCEP Server Password:** Via MSCEP, the password can be determined automatically by providing authorized credentials; with manual configuration, the SCEP server password is requested. | ||
| 50 | * **SCEP Server Admin URL:** http:~/~/FQDN/certsrv/mscep_admin/ | ||
| 51 | * **SCEP Server Admin Username:** Domain\User who has the appropriate permissions to request a certificate. This can be tested at the URL http:~/~/FQDN/certsrv/mscep_admin/ – a username and password prompt will appear there. | ||
| 52 | * **SCEP Server Admin Password:** the password for the SCEP server admin | ||
| 53 | * **Certificate type:** Selection of whether the certificate is issued for a user or a computer. | ||
| 54 | * **User certificate:** | ||
| 55 | ** If no username and/or no domain is specified for the certificate, the SCEP server admin username and domain are used. | ||
| 56 | * **Computer certificate:** | ||
| 57 | ** **DNS name for certificate:** A manual hostname for the client can be entered here. | ||
| 58 | ** **Automatically determine DNS name:** Option to use either the FQDN or the hostname of the client for the certificate request. | ||
| 59 | ** **Set computer SID as Subject Alternative Name:** Requires domain membership of the RangeeOS. This option is necessary to include the ObjectSID of the computer account as a Subject Alternative Name in the certificate (see section on Strong Certificate Binding). | ||
| 60 | * **Automatic certificate update:** Specifies how often the certificate is renewed | ||
| 61 | * **Force update now:** If enabled, a certificate is requested immediately when applying the settings. This allows you to check directly in the log whether the request was successful. | ||
| 62 | * **Do not apply TCMS settings:** Indicates whether the settings are distributed by the TCMS. This option must be enabled in the group configuration for it to work. | ||
| 63 | |||
| 64 | **Example configuration** for a certificate server with the hostname dc2019.windows.local in our test environment: | ||
| 65 | |||
| 66 | |||
| 67 | [[image:1752130525822-903.png]] |