A successful request for a certificate from a mobile device always depends on its operating system. Currently, all mobile devices (notebooks, tablets etc.) that rely on the Windows operating system can request certificates using the well-known MMC or web enrollment ways. Moreover, non-domain-joined clients can also request certificates using the CEP/CES services of Windows 2008R2 and above CAs.
Windows RT tablets, based on version 8.1, can also request certificates as we have already mentioned the inclusion of a SCEP client in Windows 81. at a previous blog post. However, certificate issuance for devices that depend on other, mobile-only operating systems such as iOS and Android, depend on the vendor. In this blog post, we will limit our scope to iOS 5.x devices. These devices support the SCEP protocol, which allows for certificate requests directly from the mobile OS. Microsoft supports SCEP via the NDES service of the Certificate Services role.
For this reason, we need to install the NDES feature of Windows CAs. We will also create a specific service account which will run NDES. The service itself will be installed on the existing Enterprise Issuing CA. Moreover, we will need to:

• run the following command for IIS:
  %systemroot%\system32\inetsrv\appcmd.exe set config /section:system.webServer/security/requestFiltering /requestLimits.maxQueryString:”3072″ /commit:apphost
• install post-Windows 2008R2 hotfix KB2483564 that is needed for correct parsing of iOS HTTP SCEP requests.
• install, in a test machine, the software needed to create profiles for iOS to request certificates (iPhone configuration utility)
• test certificate issuance using an iPhone

This is how we request certificates for SCEP-compliant devices (in this example, iOS devices):

First, we visit the URL http://issuingca/CertSrv/MSCEP_Admin/ where we receive the password (challenge) needed to complete the certificate issuance

Retrieving the challenge string from the NDES server

After we receive the challenge string, we start the iOS configuration software, move to the configuration profiles section and create the profile needed for the certificate request. We finally select SCEP and fill in all the required values of the form. A sample request form has been captured in the following screenshot as a reference.

SCEP selection from the iPhone configuration utility

The completed form of the iPhone configuration utility