SCEP errors on manual or automatic device cert request


  • This topic has 4 replies, 3 voices, and was last updated 3 years ago by luu.
Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
  • #106131
    • Total Post: 3
    • Newbie

    We have been running the same setup for a number of years, however the requesting of a device certificate is no longer working for automatic enrollment or manually.  The logs from the CA server are showing the request does make it there, however the device presents with “ERROR: failed parsing ca cert response.  Please check certificate settings and enrollment password”.  There is no enrollment password set on the CA server.  Does anyone know what settings the CA server requires for this to work correctly?  Tested on Firmware 8.6 as well as 9.1.  Have been working with Microsoft and Dell for the last two weeks but have not got anywhere.

    • Total Post: 10696
    • Jedi Master
    • ★★★★★★★

    I have written a SCEP implementation guide which is available in the Downloads.
    I have never seen or heard that you do not need an enrollment password at all. However, check my guide and come back with questions.


    • Total Post: 3
    • Newbie

    Thanks for that quick reply. I will have a read through and come back if needed

    • Total Post: 3
    • Newbie

    After enabling unauthenticated access for IIS, the device is connecting, we are getting a 200 response in the IIS logs, however the device is now giving “ERROR: failed checking ra certificate for signing.  Please check certificate settings and enrollment password”.

    We have followed the documentation and checked all settings against it.  As we do not have a password set and never had one, that field is left blank.  In WMS I have tried configuring SCEP admin details as per section 7 but this did not seem to work.  Do you require one or the other to get this to work?

    Any further ideas?

    • Total Post: 2
    • Newbie

    If you use Microsoft SCEP service, you *need* enrollment password (it is always present and autogenerated for you out of the box, can be obtained from /CertSrv/mscep_admin).

    You can make sure this password never changes by setting HKLM\SOFTWARE\Microsoft\Cryptography\MSCEP\UseSinglePassword = 1 (DWORD) on SCEP server – so you only need to configure it once in ThinOS profile and never touch it again

Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.