SCEP errors on manual or automatic device cert request - Technicalhelp: A Flexible Computing Service

Tagged: SCEP

This topic has 4 replies, 3 voices, and was last updated 2 years, 10 months ago by luu.

Viewing 5 posts - 1 through 5 (of 5 total)

Author

Posts
August 30, 2021 at 3:46 am #106131
notjustemail
Participant
- Total Post: 3
- Newbie
We have been running the same setup for a number of years, however the requesting of a device certificate is no longer working for automatic enrollment or manually. The logs from the CA server are showing the request does make it there, however the device presents with “ERROR: failed parsing ca cert response. Please check certificate settings and enrollment password”. There is no enrollment password set on the CA server. Does anyone know what settings the CA server requires for this to work correctly? Tested on Firmware 8.6 as well as 9.1. Have been working with Microsoft and Dell for the last two weeks but have not got anywhere.
August 30, 2021 at 12:17 pm #106133
ConfGen
Keymaster
- Total Post: 10696
- Jedi Master
I have written a SCEP implementation guide which is available in the Downloads.
I have never seen or heard that you do not need an enrollment password at all. However, check my guide and come back with questions.

CG
August 30, 2021 at 11:44 pm #106135
notjustemail
Participant
- Total Post: 3
- Newbie
Thanks for that quick reply. I will have a read through and come back if needed
September 2, 2021 at 3:04 am #106146
notjustemail
Participant
- Total Post: 3
- Newbie
After enabling unauthenticated access for IIS, the device is connecting, we are getting a 200 response in the IIS logs, however the device is now giving “ERROR: failed checking ra certificate for signing. Please check certificate settings and enrollment password”.

We have followed the documentation and checked all settings against it. As we do not have a password set and never had one, that field is left blank. In WMS I have tried configuring SCEP admin details as per section 7 but this did not seem to work. Do you require one or the other to get this to work?

Any further ideas?
September 7, 2021 at 10:48 am #106156
luu
Participant
- Total Post: 2
- Newbie
If you use Microsoft SCEP service, you *need* enrollment password (it is always present and autogenerated for you out of the box, can be obtained from /CertSrv/mscep_admin).

You can make sure this password never changes by setting HKLM\SOFTWARE\Microsoft\Cryptography\MSCEP\UseSinglePassword = 1 (DWORD) on SCEP server – so you only need to configure it once in ThinOS profile and never touch it again
Author

Posts

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.