Jump to content

Error: HTTPS certificate chain is incomplete. Enrollment is not allowed

Sista
 Share

Recommended Posts

Sista

Sista 0

Posted
Posted

Hello,

i have an ESMC VA ver 7.1 with 3rd HTTPS certificate and all is working perfectly.

Now I installed a MDM Connector VA latest version and I use the same 3rd HTTPS certificate in the setup screen, and if I reach https://mdm.xxxx.it:9980 the certificate is ok.

The problem is that I see and alert for the MDM VA says:

HTTPS certificate chain is incomplete. Enrollment is not allowed 

But the chain is complete.

 

Please were I was wrong?

 

Thank you
Andrea

Link to comment
Share on other sites
Sista

Sista 0

Posted
  • Author
Posted

Some update, if I generate a new certificate for Mobile Device Connector and then apply it to the mdm server via Policy I don't see any error in the ESMC but when I connect to https://mdm.xxxxxx.it:9980 I see certificate warning because it was  generated from the interal CA and the mbiel phone can connect to ESMC.

If I try to use a valid certificate from public CA in the Policy it doesn't apply with the error:

MDM policy contains invalid https certificate. The old certificate is still being used 

 

Some one can explain me?

 

Thank you 

Andrea

Link to comment
Share on other sites
  • ESET Staff
Mirek S.

Mirek S. 18

Posted
  • ESET Staff
Posted

Hello,

Short answer: Please add root CA of your 3rd party certificate into pkcs#12 which is configured as HTTPS certificate. See for example this thread.

Long answer: Certificates provided by 3rd party certification authorities (usually) don't contain root CA as trust is established by system certificate store and certificate and chain provided by HTTPS server. We require root CA in configured pkcs#12 as we establish MDM - device trust during device enrollment - we install root CA onto device. In our wording we note chain even if - only - root CA is missing (as it's impossible to determine whenever chain is complete without root CA, even thought it's not technically correct).

HTH,

M.

Link to comment
Share on other sites
Sista

Sista 0

Posted
  • Author
Posted

Hello Mirek,
I tried to upload the complete pfx, but the problem was that the file have some kinds of problem, I recreate a new pfx with all the three certificate and now the warning is gone.

Now I can connect to https://mdm.xxxx.it:9980 with not problem and I have enroll my first mobile device.

Thank you
Andrea

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...