Forum Discussion
SCEP policy deployment failing for IOS only
Hello Mark,
It looks like it has something to do with the customers PKI infrastructure. In the past I've had a similar issue. After contact with MS Support this was the answer:
As we discussed, we discovered that the Signature Algorithm RSASSA-PSS may not be supported by iOS, and that is why iOS devices could not verify the whole chain.
You may need to change the PKI infrastructure from RSASSA-PSS to sha256 or sha512.
Here is a few documentation:
https://blogs.technet.microsoft.com/askpfeplat/2015/03/15/sha-1-deprecation-and-changing-the-root-cas-hash-algorithm/
https://discussions.apple.com/thread/6534865?start=0&tstart=0 – apple forum.
I hope this helps.
Best regards,
Ruud Gijsbers
Thanks Ruud, we're already using SHA256 though.
Hi Mark,
What do the log files say on the server where the Certificate Connector is installed? You can have a look at the eventlog and the log files in the installation directory for the Certificate Connector. And also the NDES/SCEP log files.
Best regards,
Ruud Gijsbers
Yeah we've checked every log file possible including *.svclogs but they don't even show an attempt, failed request or anything. I've recreated the SCEP policy today but it has not helped. Can also confirm I can connect to the ndes URL from the test devices and receive the correct 403 error on the site as per the documentation.
Hey Mark,
Did you all ever figure out the root cause of the issue? Experiencing the same problem with ios devices.
Thanks
