Install and bind the certificate on the NDES server

This section explores the following tasks:

Install the NDES certificate.
Bind the NDES certificate in IIS.
Configure request filtering.
Bind the certificate in the registry.

Install the certificate

Perform the following steps to install the NDES certificate:

On the NDES server, open the Windows search bar and look for certlm.msc. Open it.

In the left toolbar, right-click Personal and select All Tasks > Request New Certificate.

On the Select Certificate Enrollment Policy page, select [ Active Directory Enrollment Policy ]. Select [ Next ].

Select the NDES certificate created earlier, and select [ More information is required to enroll for this certificate. Click here to configure Settings ].

On the Certificate Properties page, make the following changes:

For Subject Name, select [ Common Name ] and enter the Fully Qualified Domain Name of your NDES server. Then, select [ Add ].
For Alternate Name, select [ DNS ] and enter the Fully Qualified Domain Name of your NDES server. Then, select [ Add ].

Select [ Apply ] and then [ OK ]. Then select [ Enroll ].

Bind the certificate

Perform the following steps to bind the NDES certificate in IIS:

On the NDES server, open the Windows search bar and look for Internet Information Services (IIS) Manager. Open it.

Expand your Server Name > Sites and then select [ Default Web Site ].

On the right side of the screen, locate Edit Site and select [ Bindings ].

On the Site Bindings page, select [ Add ].

Change the Type to HTTPS and select [ Select ]. Select the NDES certificate you just installed and select [ OK ].

Configure request filtering

Perform the following steps to configure request filtering in IIS:

On the NDES server, open the Windows search bar and look for Internet Information Services (IIS) Manager. Open it.

Expand your Server Name > Sites and then select [ Default Web Site ].

Locate and select [ Request Filtering ].

On the right side of the screen, locate and select [ Edit Feature Settings ].

Change the Max Url length and Max query string values to 65534. Select [ OK ].

Bind the certificate

Perform the following steps to bind the certificate in the registry:

On the NDES server, open the Windows search bar and look for System Registry Editor. Open it.

Go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP and locate GeneralPurposeTemplate.

Change the value to the name of your certificate template created for NDES. (Not the display name.)

Close the registry editor and restart the NDES server.

For more information on configuring infrastructure for Intune, refer to the Microsoft documentation: learn.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure

⌘I

​Install the certificate

​Bind the certificate

​Configure request filtering

​Bind the certificate

Install the certificate

Bind the certificate

Configure request filtering

Bind the certificate