0x8010002c: Requested certificate does not exist

[gustav-mattsson]

Hi, I was advised to create an issue here after I created an Intune ticket in the Microsoft Q&A forums (https://docs.microsoft.com/en-us/answers/questions/70809/0x8010002c-request-certificate-does-not-exist-duri.html)

I am trying to integrate a Third-party CA to work with Intune SCEP to issue certificates according to https://docs.microsoft.com/en-us/mem/intune/protect/scep-libraries-apis. I am using the CsrValidation api for Java to integrate.

My issue is not really with the CsrValidation API.

I have setup the following Configuration profiles in Azure Endpoint manager: Trusted Certificate: Computer store - Root (Root CA) Trusted Certificate: Computer store - Intermediate (Root CA) Trusted Certificate: Computer store - Intermediate (Intermediate CA) SCEP Certificate: Windows 10.

All 3 Trusted Certificate Profiles are successfully deployed to the WIN10 device.

To enrol the Windows 10 Device I go to 'Settings -> Account -> Access work or school -> Connect'. The Windows UI says that the connection is successful.

However, when looking in the Windows 10 Event Viewer under 'Applications and Services Logs/Microsoft/Windows/DeviceManagement-Enterprise-Diagnostics-Provider' it gives the following two errors:

Event 307: SCEP: Failed LogError Message : (SCEPInstallCertificateWithScepHelper:Failed to Initialize SCEP enrollment with NDES Server 'http://{url}/scep/intune/pkiclient.exe', CA cert thumbprint '2FCF40...CEF1' and server )

Event 32: SCEP: Certificate enroll failed. Result: (The requested certificate does not exist.). [HRESULT: 0x8010002c]

These 2 errors occurs after the 'GetCACertChain' call has been made from the WIN10 device and the CA SCEP RA has returned the chain in PKCS#7 format containing the Root CA, Intermediate CA and the RA certificate.

The thumbprint in Event 307 is the same as the thumbprint of my Root CA.

Any ideas on what I have misconfigured to get this error?

[achuchev]

@gustav-mattsson One suggestion. Can you check if the Root certificate configured on the Intune SCEP profile is the same one returned by GetCACertChain API call from your SCEP server? They must be the same.

To do this navigate to https://endpoint.microsoft.com/ -> Devices -> Configuration profiles -> -> Properties in the Root Certificate field you will see the name of the Trusted Certificate profile. Check if this profile has the same Root certificate as returned by the GetCACertChain.

[gustav-mattsson]

@achuchev Thanks for the comment. They are indeed the same. My CA is in RA mode, meaning that the GetCACertChain request returns a PKCS#7 containing the Root CA, the Intermediate CA and the RA certificate. This is apparently(?) not supported by WIN10 devices, or intune?

I have been able to bypass this error (resulting in me getting a signature verification error later on) by doing the following:

1. Removing support for the GetCACertChain from my RA, this causes the WIN10 device to revert to using the GetCACert request.
2. Made it so only the RA certificate is returned by the GetCACert in X.509 format, according to https://tools.ietf.org/html/draft-nourse-scep-23#section-5.2.1.1.1
3. Configured the Intune SCEP Profile to have the RA certificate in place of the Root Certificate.
4. This caused the trust store to be "correctly" configured and a CSR was sent to the RA, and it could be validated against the intune server using this library successfully, and a certificate was produced and returned to the WIN10 device.
5. However, the certificate is not registered in the WIN10 device because it can not validate the signature it says:

   SCEP: Certificate enroll failed. Result: (The signature of the certificate cannot be verified.).

So, I did kind of a hack to get passed my error resulting in a new one later resulting in kind of a catch 22. This is I presume not how this should be configured, but it is what is working the best currently.

Any suggestions on how to configure it correctly?

[achuchev]

@gustav-mattsson Your hack is cool, but it is not the right way. I still think that there is something wrong with the returned CA/RA certs from your RA. Can you post the whole PKCS#7 response here and the Root cert configured to Intune as Root of the SCEP profile?

Regarding step 2 (Made it so only the RA certificate is returned by the GetCACert...). Your solution is not CA, so you should return CA and RA certs. I guess, you did it only for testing purposes, but I wanted to make sure it is clear.

Just some random things to check on your side:

• Make sure that the RA cert(s) are issued from the same CA which will be used to issue the leaf(workstation) certificate.
• Make sure that the RA cert(s) are having either EKU "Server Authentication" or "Certificate Request Agent" (1.3.6.1.4.1.311.20.2.1). The second is used by MS, so I usually prefer it.
• If you use separate RA certificates for signing and encryption, make sure that the first one has KU Digital Signature only and the second KU Key Encipherment only.

[gustav-mattsson]

@achuchev

certificates.zip In the zip file is:

1. Root CA as 'intune_root.cer'
2. Intermediate CA as 'intune_subca.cer'
3. RA certificate as 'intune_ra.cer'
4. The PKCS#7 is named 'getCaCertChain_return.p7b'

My RA does not have any EKU or KU. Are they mandatory by Microsoft? I'll give it a try!

The 'intune_subca.cer' is the issuer for the certificates produced for the windows device. Here is an example certificate for my WIN10 device: example_end_user_certificate.zip

SCEP profile Root Certificate:

Trusted Certificate Root Pofile:

[gustav-mattsson]

@achuchev Adding EKU and KU to the RA certificate fixed it, and reverting back to returning the full PKCS#7 response. Thanks a lot!!!!

I added Digital Signature and Key Encipherment as KU and TLS Server Authentication as EKU to the RA certificate. And now all of it works.

Thanks a lot for the tips and help @achuchev ! I have been stuck on this for over a week!

[achuchev]

@gustav-mattsson Cool, you solve the problem faster than me 👍

BTW, if you plan to have your RA working with different OS like Apple iOS, macOS, Android, Cisco IOS over SCEP, make sure that you use separe RA certs for signing and encryption.