Jump to content

"Device hasn't updated its HTTPS certificate yet. "


FrankM
 Share

Go to solution Solved by FrankM,

Recommended Posts

  • Solution

Hello,

 

I've updated our company wildcard certificate "*.company" within the MDC policy, because the old one will be invalid next week.

(See attachement)

The MDM shows two alerts:
 

Quote

 

HTTPS certificate change still in progress.

The old certificate is still being used 

 

The "Force certificate change on" has not yet been reached

 

I checked two iPhones with this alert:

Quote

Device hasn't updated its HTTPS certificate yet. 

but, if I check the profile on the phone I can see both "*.company" certificates, the new one and the old one. So for me it looks like, that the certificate is updated..

 

(Android phones also show the warning, but I didn't check the phones)

So I'm really confused!

What's running wrong here?

 

Thanks

 

Frank

ESET_https_cert.png

Link to comment
Share on other sites

  • 4 weeks later...
  • ESET Staff

Hello,

MDM certificate change is somewhat complicated process due to support for self-signed certificates.

MDM first installs dual-trust profile (device will trust both old and new certificate), then replaces enrollment profile with trust to new certificate. At this moment both certificates are still trusted.

When all devices arrive into previous state (or timeout happens) MDM exchanges it's outside HTTPS certificate with new one.

Then process of uninstallation of dual-trust profile (installed as first step) is run.

Until all this is complete there is some protection state on devices / MDM.

 

As a sidenote for newer EESA versions EESA (as iOS) also trusts 3rd party root CAs preinstalled in device certificate store. Currently certificate change process isn't adapted to this, however even if some protection state persists entire process is safer with such certificates as devices which fail to exchange trust will still continue to connect.

 

If some protection state persists after MDM certificate is exchanged please contact support as it (as always) could be issue on our side.

HTH,

M.

Edited by Mirek S.
Link to comment
Share on other sites

Hello,

thanks for the detailed explanation of the process.

After the old certificate had expired, everything was as expected again.

The indication is just confusing

 

Frank

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...