Closed gustav-mattsson closed 4 years ago
@gustav-mattsson One suggestion. Can you check if the Root certificate configured on the Intune SCEP profile is the same one returned by GetCACertChain API call from your SCEP server? They must be the same.
To do this navigate to https://endpoint.microsoft.com/ -> Devices -> Configuration profiles ->
@achuchev Thanks for the comment. They are indeed the same. My CA is in RA mode, meaning that the GetCACertChain request returns a PKCS#7 containing the Root CA, the Intermediate CA and the RA certificate. This is apparently(?) not supported by WIN10 devices, or intune?
I have been able to bypass this error (resulting in me getting a signature verification error later on) by doing the following:
SCEP: Certificate enroll failed. Result: (The signature of the certificate cannot be verified.).
So, I did kind of a hack to get passed my error resulting in a new one later resulting in kind of a catch 22. This is I presume not how this should be configured, but it is what is working the best currently.
Any suggestions on how to configure it correctly?
@gustav-mattsson Your hack is cool, but it is not the right way. I still think that there is something wrong with the returned CA/RA certs from your RA. Can you post the whole PKCS#7 response here and the Root cert configured to Intune as Root of the SCEP profile?
Regarding step 2 (Made it so only the RA certificate is returned by the GetCACert...). Your solution is not CA, so you should return CA and RA certs. I guess, you did it only for testing purposes, but I wanted to make sure it is clear.
Just some random things to check on your side:
@achuchev
certificates.zip In the zip file is:
My RA does not have any EKU or KU. Are they mandatory by Microsoft? I'll give it a try!
The 'intune_subca.cer' is the issuer for the certificates produced for the windows device. Here is an example certificate for my WIN10 device: example_end_user_certificate.zip
SCEP profile Root Certificate:
Trusted Certificate Root Pofile:
@achuchev Adding EKU and KU to the RA certificate fixed it, and reverting back to returning the full PKCS#7 response. Thanks a lot!!!!
I added Digital Signature and Key Encipherment as KU and TLS Server Authentication as EKU to the RA certificate. And now all of it works.
Thanks a lot for the tips and help @achuchev ! I have been stuck on this for over a week!
@gustav-mattsson Cool, you solve the problem faster than me 👍
BTW, if you plan to have your RA working with different OS like Apple iOS, macOS, Android, Cisco IOS over SCEP, make sure that you use separe RA certs for signing and encryption.
Hi, I was advised to create an issue here after I created an Intune ticket in the Microsoft Q&A forums (https://docs.microsoft.com/en-us/answers/questions/70809/0x8010002c-request-certificate-does-not-exist-duri.html)
I am trying to integrate a Third-party CA to work with Intune SCEP to issue certificates according to https://docs.microsoft.com/en-us/mem/intune/protect/scep-libraries-apis. I am using the CsrValidation api for Java to integrate.
My issue is not really with the CsrValidation API.
I have setup the following Configuration profiles in Azure Endpoint manager: Trusted Certificate: Computer store - Root (Root CA) Trusted Certificate: Computer store - Intermediate (Root CA) Trusted Certificate: Computer store - Intermediate (Intermediate CA) SCEP Certificate: Windows 10.
All 3 Trusted Certificate Profiles are successfully deployed to the WIN10 device.
To enrol the Windows 10 Device I go to 'Settings -> Account -> Access work or school -> Connect'. The Windows UI says that the connection is successful.
However, when looking in the Windows 10 Event Viewer under 'Applications and Services Logs/Microsoft/Windows/DeviceManagement-Enterprise-Diagnostics-Provider' it gives the following two errors:
Event 307: SCEP: Failed LogError Message : (SCEPInstallCertificateWithScepHelper:Failed to Initialize SCEP enrollment with NDES Server 'http://{url}/scep/intune/pkiclient.exe', CA cert thumbprint '2FCF40...CEF1' and server )
Event 32: SCEP: Certificate enroll failed. Result: (The requested certificate does not exist.). [HRESULT: 0x8010002c]
These 2 errors occurs after the 'GetCACertChain' call has been made from the WIN10 device and the CA SCEP RA has returned the chain in PKCS#7 format containing the Root CA, Intermediate CA and the RA certificate.
The thumbprint in Event 307 is the same as the thumbprint of my Root CA.
Any ideas on what I have misconfigured to get this error?