Wiki source code of RangeeOS - Mit SCEP ein Computer-Benutzerzertifikat beziehen
Last modified by Tobias Wintrich on 2026/02/09 12:37
Hide last authors
| author | version | line-number | content |
|---|---|---|---|
 |
15.1 | 1 | The following guide describes how to configure a client with RangeeOS so that it requests a certificate from a certificate server via SCEP (Simple Certificate Enrollment Protocol). |
| |
5.2 | 2 | |
| 3 | {{info}} | ||
| |
15.1 | 4 | ==== Last successfully tested with: ==== |
| |
5.2 | 5 | |
| |
15.1 | 6 | **Client versions:** |
| |
5.2 | 7 | |
| |
14.1 | 8 | firmware x64 - 13.00 build 073 |
| |
5.2 | 9 | |
| |
15.1 | 10 | **Server versions:** |
| |
5.2 | 11 | |
| |
15.1 | 12 | Windows Server 2019 with Active Directory Certificate Services |
| |
5.2 | 13 | {{/info}} |
| 14 | |||
| |
15.1 | 15 | Certificates issued via **SCEP** can be used, for example, for authentication against a WLAN RADIUS server or in an 802.1X network. |
| |
5.2 | 16 | |
| |
15.1 | 17 | The following guide describes the configuration of the client. The specified values may vary depending on the certificate infrastructure. |
| |
5.2 | 18 | |
| |
14.1 | 19 | == Strong Certificate Binding == |
| |
5.2 | 20 | |
| |
15.1 | 21 | Since February 2025, all computer certificates that authenticate against a Windows Network Policy Server must meet the requirements for Strong Certificate Binding (source: [[Microsoft>>https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16]]). Until September 2025, enforcement of this requirement can still be postponed by setting the following registry key: |
| |
5.2 | 22 | |
| |
14.1 | 23 | {{{Key: HKLM:\SYSTEM\CurrentControlSet\Services\Kdc |
| 24 | Name: StrongCertificateBindingEnforcement | ||
| 25 | Type: DWORD | ||
| 26 | Value: 1}}} | ||
| |
5.2 | 27 | |
| |
15.1 | 28 | In summary, the following requirements must be met: |
| |
5.2 | 29 | |
| |
15.1 | 30 | * The computer to which the certificate belongs must be a member of the domain. |
| 31 | * The certificate must contain the extension **1.3.6.1.4.1.311.25.2**. The **ObjectSID** of the computer account must be encoded in it. | ||
| 32 | * The **ObjectSID** must match the hostname selected for the certificate. | ||
| |
5.2 | 33 | |
| |
15.1 | 34 | To meet these requirements under RangeeOS, you can join your devices to your domain via **Active Directory → Workstation Login**. If a client is a member of the domain, the option **“Set computer SID as Subject Alternative Name”** is unlocked in the **SCEP** configuration. A subsequently requested certificate will then contain the new extension. |
| |
14.1 | 35 | |
| 36 | {{info}} | ||
| |
15.1 | 37 | The option **Set computer SID as Subject Alternative Name** is only available starting with firmware x64 13.00 build 073. |
| |
14.1 | 38 | {{/info}} |
| 39 | |||
| 40 | (% class="wikigeneratedid" %) | ||
| 41 | [[image:scep01.png||height="515" width="400"]] | ||
| 42 | |||
| |
15.1 | 43 | == Configuration == |
| |
14.1 | 44 | |
| |
15.1 | 45 | The **SCEP** configuration is located in the **Kommbox** of **RangeeOS** under **System** (formerly **Tools**) → **SCEP**: |
| |
14.1 | 46 | |
| |
15.1 | 47 | * **Enable SCEP:** must be enabled |
| 48 | * **SCEP Server URL:** http:~/~/FQDN/certsrv/mscep/mscep.dll | ||
| 49 | * **SCEP Server Password:** Via MSCEP, the password can be determined automatically by providing authorized credentials; with manual configuration, the SCEP server password is requested. | ||
| 50 | * **SCEP Server Admin URL:** http:~/~/FQDN/certsrv/mscep_admin/ | ||
| 51 | * **SCEP Server Admin Username:** Domain\User who has the appropriate permissions to request a certificate. This can be tested at the URL http:~/~/FQDN/certsrv/mscep_admin/ – a username and password prompt will appear there. | ||
| 52 | * **SCEP Server Admin Password:** the password for the SCEP server admin | ||
| 53 | * **Certificate type:** Selection of whether the certificate is issued for a user or a computer. | ||
| 54 | * **User certificate:** | ||
| 55 | ** If no username and/or no domain is specified for the certificate, the SCEP server admin username and domain are used. | ||
| 56 | * **Computer certificate:** | ||
| 57 | ** **DNS name for certificate:** A manual hostname for the client can be entered here. | ||
| 58 | ** **Automatically determine DNS name:** Option to use either the FQDN or the hostname of the client for the certificate request. | ||
| 59 | ** **Set computer SID as Subject Alternative Name:** Requires domain membership of the RangeeOS. This option is necessary to include the ObjectSID of the computer account as a Subject Alternative Name in the certificate (see section on Strong Certificate Binding). | ||
| 60 | * **Automatic certificate update:** Specifies how often the certificate is renewed | ||
| 61 | * **Force update now:** If enabled, a certificate is requested immediately when applying the settings. This allows you to check directly in the log whether the request was successful. | ||
| 62 | * **Do not apply TCMS settings:** Indicates whether the settings are distributed by the TCMS. This option must be enabled in the group configuration for it to work. | ||
| |
5.2 | 63 | |
| |
15.1 | 64 | **Example configuration** for a certificate server with the hostname dc2019.windows.local in our test environment: |
| |
5.2 | 65 | |
| |
15.1 | 66 | |
| |
14.1 | 67 | [[image:1752130525822-903.png]] |