Jump to content

"Device hasn't updated its HTTPS certificate yet. "


FrankM
 Share

Go to solution Solved by FrankM,

Recommended Posts

  • Solution

Hello,

 

I've updated our company wildcard certificate "*.company" within the MDC policy, because the old one will be invalid next week.

(See attachement)

The MDM shows two alerts:
 

Quote

 

HTTPS certificate change still in progress.

The old certificate is still being used 

 

The "Force certificate change on" has not yet been reached

 

I checked two iPhones with this alert:

Quote

Device hasn't updated its HTTPS certificate yet. 

but, if I check the profile on the phone I can see both "*.company" certificates, the new one and the old one. So for me it looks like, that the certificate is updated..

 

(Android phones also show the warning, but I didn't check the phones)

So I'm really confused!

What's running wrong here?

 

Thanks

 

Frank

ESET_https_cert.png

Link to comment
Share on other sites

  • 4 weeks later...
  • ESET Staff

Hello,

MDM certificate change is somewhat complicated process due to support for self-signed certificates.

MDM first installs dual-trust profile (device will trust both old and new certificate), then replaces enrollment profile with trust to new certificate. At this moment both certificates are still trusted.

When all devices arrive into previous state (or timeout happens) MDM exchanges it's outside HTTPS certificate with new one.

Then process of uninstallation of dual-trust profile (installed as first step) is run.

Until all this is complete there is some protection state on devices / MDM.

 

As a sidenote for newer EESA versions EESA (as iOS) also trusts 3rd party root CAs preinstalled in device certificate store. Currently certificate change process isn't adapted to this, however even if some protection state persists entire process is safer with such certificates as devices which fail to exchange trust will still continue to connect.

 

If some protection state persists after MDM certificate is exchanged please contact support as it (as always) could be issue on our side.

HTH,

M.

Edited by Mirek S.
Link to comment
Share on other sites

Hello,

thanks for the detailed explanation of the process.

After the old certificate had expired, everything was as expected again.

The indication is just confusing

 

Frank

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...