Rocky Linux 8 compatability with NDES and certmonger is not working

HI Support Folks,

We have recently installed Rocky Linux 8 and it is not working well with NDES server as it is not issuing a certificate when certmonger version is certmonger-0.79.13-5.el8.x86_64 is requesting a certificate from NDES server. Please note that when we use CentOS 7 the certificate gets issued when certmonger-0.74 and we get a new certificate.

Could you please let us know the compatability of Rocky Linux 8 and certmonger-0.79.13-5.el8.x86_64 what should be the version of NDES to issue a correct certificate. Also Please note that we found the following in the blog and we have tried already the following setting in NDES server and on the Rocky Linux 8 server with certmonger-0.79 but it still does not work.
To add the value:

  • fire up regedit

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP

  • add a new 32-bit DWORD value named DisableRenewalSubjectNameMatch and set the value to 1

I didn’t restart IIS, but you can if you want (in PowerShell run iisreset)

On the certmonger side add this to /etc/certmonger/certmonger.conf

[scep]

challenge_password_otp = yes

Restart certmonger

Please let us know what can be done in this matter to resolve the NDES server not issuing the server certificate. Have a good day and weekend.

Thanks,
Bharan B

Can you please explain what NDES Server is and who makes it? Have you asked NDES support for help since it seems it’s their product that isn’t working correctly here. Sounds more like NDES Server needs to be configured correctly to work with that version of certmonger - since certmonger is pretty much a client app.

HI @iwalker ,

The Network Device Enrollment Service (NDES) allows software on routers and other network devices running without domain credentials to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP) . It is part of the role of Active Directory and maintained by Microsoft. We have a ticket with Microsoft already to see how this version of Certmonger on Rocky Linux 8 can work together because the version of certmonger on CentOS7 is certmonger-0.74 and on RockyLinux8 is certmonger-0.79. So we are suspecting if this difference of certmonger is the issue but please note that NDES issues certificates automatically to our Ansible Playbook on CentOS7 machines but only on Rocky LInux 8 we are having issues. So we thought maybe somebody has seen this issue before, thanks and have a good weekend.

Thanks,
Bharan Bhaskar

I think generally Microsoft will or should support RHEL 8.x, so since Rocky follows RHEL means that whatever version RHEL has of certmonger, Rocky has the same version as it’s 1:1 with RHEL.

Hopefully Microsoft will ensure support for other versions, whilst RHEL7 can still be used it does go EOL in a few years. Also since RHEL 9 has come out, in reality Microsoft should have added RHEL 8 support a long time ago. Once that’s achieved, Rocky will also be OK.