Migrating CA with NDES. Is it possible to retain the same Challenge Password for MSCEP?

Question

We have an application that currently runs on Server 2008 R2 across the board, and we are looking to upgrade all servers to 2012 R2 (this is the latest OS that is compatible with the application).

We have a single domain controller that also acts as the Certification Authority server, the CA has NDES installed which provides us with a challenge password that we use for certain devices to pull certificates to communicate with the application.

I have a workflow to migrate the DC and also the CA, which seems to work fine. However, once I've migrated the CA I have to install the NDES role separately on the new server, which in turn gives me a different challenge password (FYI, the thumbprint for the CA cert remains the same).

This makes sense as it is a completely new install of NDES, so this must be by design.

It would be useful to be able to retain the same challenge password post migration, as we would then not have to go to each device and enter the new PW. Is this possible?

Answer 1

TLDR: Yes, run below script.

NDES stores the challenge password in the HKLM\SOFTWARE\Microsoft\Cryptography\MSCEP\EncryptedPassword key. It is stored using reversible encryption which is why you can see the challenge password when you visit the website. Microsoft uses DPAPI to encrypt/decrypt this key, which means that it is tied to the service account NDES runs under. You can use the CryptProtectedData and CryptUnprotectData API calls to read/write the SCEP password. Microsoft makes this easy for us as they expose these API's for use in .net, which means that we can use them in powershell! Below is the script I created to accomplish this in my own CA migration. Login to the NDES server with the service account credentials you entered when configuring the service and run the below script. It will prompt you for the challenge password you would like to use, set it in the registry, and restart IIS. If the SCEP Service account doesn't have permissions to restart IIS, you will need to do that manually with a user account that does.

[System.Reflection.Assembly]::LoadWithPartialName("System.Security")
$newPw = ""
while($true) {
    $newPw = Read-Host "Please enter desired SCEP password"
    if($newPw.Legnth%2 -eq 0 -and $newPw.Length -gt 0) {
        [char[]]$pwdChars = New-Object Char[] $(($newPw.Length*2)+2)
        for($i = 0; $i -lt $newPw.Length; $i++) {
            $pwdChars[$i*2] = $newPw[$i]
            $pwdChars[($i*2)+1] = 0
        }

        $password = $pwdChars -Join ""

        $key = "HKLM:\SOFTWARE\Microsoft\Cryptography\MSCEP\"
        $encPw = "EncryptedPassword"
        $snglPw = "UseSinglePassword"
        $pwLngth = "PasswordLength"
        $protectedData = [Security.Cryptography.ProtectedData]::Protect([Text.Encoding]::ASCII.GetBytes($password), $null, 'CurrentUser')
        Set-ItemProperty -Path $($key + $encPw) -Name $encPw -Value $protectedData
        Set-ItemProperty -Path $($key + $snglPw) -Name $snglPw -Value 1 -Type DWORD
        Set-ItemProperty -Path $($key + $pwLngth) -Name $pwLngth -Value $($newPw.Length/2) -Type DWORD
        Write-Host "Restarting IIS"
        &iisreset
        break
    }
    if($newPw.Length -eq 0) {
        Write-Host "No password entered, exiting..."
        break
    }
    if(($newPw.Length%2) -ne 0) {
        Write-Host "Invalid password. Password must be an even number of characters"
    }
}