Service Pack 1 for 2008 R2 is due in a couple of months, but I have not seen anything in the info regarding this service pack that there will be any updates to the CA role or anything pertaining to NDES/SCEP. It is due in a public beta before the end of July so we’ll just have to take a closer look then. If it’s not added in that release it’s anybody’s guess if/when it will be added. (A new major CA release would probably be a bit into the future.)

Have you heard if Microsoft is going to support the GetCACaps operation to allow devices to renew their certs?

Jokes aside; tThe first operation, GetCACert, is ok. The second, GetCACaps, is not supported on MS CA (as far as I can tell), so that’s ok too since it’s optional anyways. The third, PKIOperation, which just happens to be the tricky one to get right fails. You get a statuscode 200 because the request was POSTed successfully to the SCEP server, and possibly processed by the CA too. But it most likely failed because the request wasn’t properly built or something.

You should check the event viewer on the CA – it might provide an error message as to what was wrong with the request – could be missing/incorrect attributes, missing key material, etc.

Are you letting the iPhone do the actual enrollment, or is there a component server side that is trying to request certificates and provision the result to the iPhones?

Thanks for posting this excellent note on SCEP. We are working on using MS SCEP to provision an iPhone and are running into some issues. We are not getting any help from Apple. The following is a description of our problem.

I’m using Windows Server 2008 Enterprise with the Microsoft SCEP implementation (NDES) installed and configured. I can verify that a client computer receives a certificate back, but on the iPhone I can only validate that it’s failing because it doesn’t tell me anything other than it failed to install. Through using a packet sniffer, I can validate the following HTTP conversation between the CA/SCEP server and the iPhone.

The iPhone is sending an HTTP GET command with the URI:
Location: /certsrv/mscep/
Operation: GetCACert
Message: hostname

The response from the CA/SCEP machine is StatusCode of 200 with a payload of type ‘application/x-x509-ca-ra-cert’, which I have validated through using another host where I can examine the file that it is a p7b file which is a PKCS #7 file.

The iPhone next issues another GET command, with the URI:
Location: /certsrv/mscep/
Operation: GetCACaps
Message: hostname

The response from the CA/SCEP machine is StatusCode of 200 with a 0 length content.

The iPhone next issues another GET command, with the URI:
Location: /certsrv/mscep/
Operation: PKIOperation
Message: message: MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCAJIAEggNnMIAG%0ACSqGSIb3DQEHA6CAMIACAQAxggF9MIIBeQIBADBhMFMxEzARBgoJkiaJk%2FIsZAEZFgNsYWIxFzAV%0ABgoJkiaJk%2FIsZAEZFgdtYXR0bGFiMSMwIQYDVQQDExptYXR0bGFiLU1BVFRMQUJWTTY0MjAwOC1D%0AQQIKYQrpd

To which the CA/SCEP machine responds with StatusCode 200 with a payload of type ‘application/x-pki-message.’ The contents of the payload are included as an attachment. So, ultimately, it appears that the iPhone doesn’t like the contents of the application/x-pki-message.

Any thoughts on what could be wrong?

Your help much appreciated.

Jay