Updating Root/Intermediate Certificates over NDES/SCEP

In attempts to setup our first instance of NDES/SCEP in the wild on Cisco routers we have run into a concern.

Currently our organization has a three tier PKI. We have an AD CS server on the third tier running NDES. All aspects of the system are functioning, but through discussion and testing we have a concern.

Root and Intermediary CA certificates can be updated on the end device by executing the GetCACert command again to refresh the local cache of the issuing certificate.

For more detailed information, you can refer to the SCEP RFC (draft-nourse-scep-23).

Additional Resources

Thomas Pornin provided an acceptable answer for a similar question on Security Stack Exchange.

Leave a Reply

Your email address will not be published. Required fields are marked *