Skip to Content

RangeeOS - Mit SCEP ein Computer-Benutzerzertifikat beziehen

Last modified by Tobias Wintrich on 2026/02/09 12:37

The following guide describes how to configure a client with RangeeOS so that it requests a certificate from a certificate server via SCEP (Simple Certificate Enrollment Protocol).

Information

Last successfully tested with:

Client versions:

firmware x64 - 13.00 build 073

Server versions:

Windows Server 2019 with Active Directory Certificate Services

Certificates issued via SCEP can be used, for example, for authentication against a WLAN RADIUS server or in an 802.1X network.

The following guide describes the configuration of the client. The specified values may vary depending on the certificate infrastructure.

Strong Certificate Binding

Since February 2025, all computer certificates that authenticate against a Windows Network Policy Server must meet the requirements for Strong Certificate Binding (source: Microsoft). Until September 2025, enforcement of this requirement can still be postponed by setting the following registry key:

Key: HKLM:\SYSTEM\CurrentControlSet\Services\Kdc
Name: StrongCertificateBindingEnforcement
Type: DWORD
Value: 1

In summary, the following requirements must be met:

  • The computer to which the certificate belongs must be a member of the domain.
  • The certificate must contain the extension 1.3.6.1.4.1.311.25.2. The ObjectSID of the computer account must be encoded in it.
  • The ObjectSID must match the hostname selected for the certificate.

To meet these requirements under RangeeOS, you can join your devices to your domain via Active Directory → Workstation Login. If a client is a member of the domain, the option “Set computer SID as Subject Alternative Name” is unlocked in the SCEP configuration. A subsequently requested certificate will then contain the new extension.

Information

The option Set computer SID as Subject Alternative Name is only available starting with firmware x64 13.00 build 073.

scep01.png

Configuration

The SCEP configuration is located in the Kommbox of RangeeOS under System (formerly Tools) → SCEP:

  • Enable SCEP: must be enabled
  • SCEP Server URL: http://FQDN/certsrv/mscep/mscep.dll
  • SCEP Server Password: Via MSCEP, the password can be determined automatically by providing authorized credentials; with manual configuration, the SCEP server password is requested.
  • SCEP Server Admin URL: http://FQDN/certsrv/mscep_admin/
  • SCEP Server Admin Username: Domain\User who has the appropriate permissions to request a certificate. This can be tested at the URL http://FQDN/certsrv/mscep_admin/ – a username and password prompt will appear there.
  • SCEP Server Admin Password: the password for the SCEP server admin
  • Certificate type: Selection of whether the certificate is issued for a user or a computer.
  • User certificate:
    • If no username and/or no domain is specified for the certificate, the SCEP server admin username and domain are used.
  • Computer certificate:
    • DNS name for certificate: A manual hostname for the client can be entered here.
    • Automatically determine DNS name: Option to use either the FQDN or the hostname of the client for the certificate request.
    • Set computer SID as Subject Alternative Name: Requires domain membership of the RangeeOS. This option is necessary to include the ObjectSID of the computer account as a Subject Alternative Name in the certificate (see section on Strong Certificate Binding).
  • Automatic certificate update: Specifies how often the certificate is renewed
  • Force update now: If enabled, a certificate is requested immediately when applying the settings. This allows you to check directly in the log whether the request was successful.
  • Do not apply TCMS settings: Indicates whether the settings are distributed by the TCMS. This option must be enabled in the group configuration for it to work.

Example configuration for a certificate server with the hostname dc2019.windows.local in our test environment:

1752130525822-903.png