Skip to main content
Skip table of contents


SCEP NDES Configuration Overview

Configuration of SCEP NDES does not require many steps. Utilize the default SCEP NDES handlers that are delivered with the product. There are two handlers required for SCEP NDES to work. The challenge handler and the request handler. The default challenge handler is handler.3 and the default request handler is handler.4.

The dynamic password generated by sending an authorized request to the challenge url is globally available. As such there is only one challenge handler required, unless there is a requirement that each administrator has unique credentials.

For each NDES request token procedure you must create an always open wildcard registration using the inputview GPIV 16 - Save and Search SCEP Enrollment Registrations with dynamic password. This wildcard registration is required to perform the initial match before the dynamic password is verified.

Configure SCEP NDES


SCEP NDES utilizes the CF Production Order services to handle the dynamically created registrations. This requires that the parameter CardProductionManager.start is set to true in cm.conf.

Procedure policy objects

  1. Launch the Nexus Administrators Workbench client (AWB). 

  2. Create a new certificate procedure using the AWB. The certificate format must be scepndesdynamicenroll. 

  3. Create a new token procedure using the AWB. It should reference the created certificate procedure, have storage profile pkcs10 and the inputview GPIV 16 - Save and Search SCEP Enrollment Registrations with dynamic password.

Wildcard order

  1. Launch the Nexus Registration Authority client (RA).

  2. Navigate to the order tab and select the token procedure created previously. Create a new registration with the following values:

    FQDN: *
    Validity time (days): always
    State: Open

Handler configuration in

The remaining task is to configure the two handlers for SCEP NDES. The request handler must have the previously created token procedure as its configured handler.x.tokenprocedure. A list of all available parameters can be found in the next section. 


NDES Challenge handler

NDES challenge filter. The request url to match this handler.

handler.3.filter = ndeschallenge/

NDES challenge format. Must be set to scep-ndes.

handler.3.format = scep-ndes

NDES admin username. Change the default admin username to your desired username.

handler.3.ndesUsername = ndesadmin

NDES admin password. Change the default admin password to your desired password. Remember to scramble the password.

handler.3.ndesPassword = ndespassword

NDES challenge validity. Defines the duration time of the validity of the dynamically created challenge password. Expects ISO-8601 duration format. Default validity is 15 minutes (PT15M).

handler.3.ndesChallengeValidity = PT15M

NDES challenge encoding. Defines the encoding of the challenge webpage. Default is UTF-8 and is supported by the majority of users.

handler.3.ndesChallengeEncoding = UTF-8

NDES Request handler

NDES request filter. The request url to match this handler.

handler.4.filter = ndesrequest

NDES request format. Must be set to scep.

handler.4.format = scep

NDES request token procedure.

handler.4.tokenprocedure = SCEP Registration and Enroll Procedure with NDES Challenge

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.