Jump to content

MDM WebServer does not use full cert chain

Recommended Posts

I installed MDM and used a pfx file for securing the website that is shown on Port 9980.

The PFX file contained an Cert and also an Intermediary CA Cert. But this is not used by the MDM webserver that listens on Port 9980.


I used the same PFX for the Tomcat server that delivers the ERA Console. Tomcat delivers the Intermediary CA Cert to the clients, as seen on the comparison via an SSL checker (https://www.sslshopper.com/ssl-checker.html)


Could you please fix this or tell me where I can change the MDM webserver settings?

Edited by tobiasperschon
Link to comment
Share on other sites

I just got off the phone with eset and they want you to use the agent cert, not the one for the era console.  I was doing the same thing since the documentation is so vague. (Might not be what you are doing but it sounds like it)


The problem now for me is that that particular agent cert is self signed by the era server, which it won't be trusted by most phones.  I guess I need to figure out how to get my purchased cert to work as the agent cert because I can sign my era console with my internal CA.

Link to comment
Share on other sites

I was talking about my Wildcard Domain Certificate which I used for Tomcat to secure the https connection to ERA Webconsole. The cert was fairly cheep so it uses an intermediary CA. The PFX file that tomcat uses to secure the Websonsole contains the Domain-Wildcard Cert and the Intermediare CA (the Root is present on all? devices - GlobalTrust)


When installing MDM you are supposed to choose a cert for the https (Options: --https-cert-path= and --https-cert-password=) and also an agent cert (when you do an "offline install") otherwise you have to pass the installer the ERA login credentials and it will pick an agent cert.

For https you would use a normal domain cert with an public CA so that end users have no trouble opening the MDM site (e.g. enrollment page) without warnings. The problem (as stated above) is that the MDM webserver does only send the domain and not also the intermediary CA to the browser.

So I don't think you have to (or should) use an public ("purchased") as an agent cert.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...