Skip navigation

Can't enroll devices with Profile Manager - invalid key

16235 Views 26 Replies Latest reply: Nov 4, 2013 4:25 PM by Phil_O RSS
1 2 Previous Next
The Teknologist Level 1 Level 1 (15 points)
Currently Being Moderated
Jul 28, 2011 5:18 PM

n my case I can install profiles on devices from Profile Manager page but I cannot enroll devices.


The certificate I download to enroll is reject by my MacBook Pro Lion: Says Invalid blablabla at the end:


Screen Shot 2011-07-29 at 2.12.46 AM.PNG


Now I have done log research and I now exactly and understand why it doesn't work:


the scep_helper daemon is supposed to listen to port 1640 TCP (which you should forward to your server by the way, if you want to be able to enroll devices) and provide the requsting client the root CA that signed the certificate. In my case, it can't find the root CAT to provide the client with so it can finalize the cert validation process.


In my case, that's what I see in the log:


Jul 29 02:12:44 teknologism scep_helper[1638]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:727 'status = SCEPGetCACert(session, NULL, 0)' = -25300

Jul 29 02:12:44 teknologism scep_helper[1638]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:513 'SCEPGetCACert(session, NULL, 0)' = -25300

Jul 29 02:12:44 teknologism scep_helper[1638]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:819 'challenge = GetChallengeFromSCEP(password, guid, hostURL)' is NULL

Jul 29 02:12:44 teknologism ProfileManager[516]: Could not retrieve root certificate from open directory server.



No , as for the bad news: I have no idea on how to fix. Have dug into scep_helper, googled etc. Not a single clue on how to check it's configuration or even why it can't find the root CA. By the way everyhting else (I really mean everything, ical,cardav,web,wiki etc.) work great. And profile manager too, it's just the enroll thingy that doesn't work. And the root CA cert is in /etc/certificates. My server a legit Class 1 SSL cert signed by a system trsuted CA (Startfiel to name it)


I have tried with other certs etc... It's a no go.


Can anyone help ??


How can I add that missing CA Cert in opendirectory ?

Mac OS X (10.7)
  • applepai Calculating status...

    I have the same issue. Been looking for a solution also.

  • matwyn Calculating status...

    If you go to the mydevices page under profiles there is the Trust Profile for....  You need to download that, isntall it in the System keychain (in Lion, just install it in iOS) and then you'll be able to enroll your devices/Macs. 


    It's because for SCEP, and indeed MDM, to work both parties need to trust each other, and with a self-signed certificate like you have here (and indeed everyone does unless they buy one) the only eay to achieve that trust is to download the cert first.


    Hope that helps!

  • applepai Level 1 Level 1 (0 points)

    Matwyn, I've done as you've said with the same failed result. I'm shaking my head as to why.

  • matwyn Level 1 Level 1 (10 points)

    Ok, I'll assume nothing from now on.  Have you run ;


    serveradmin settings devicemgr


    to see what output you get from it? There should be 3 entries in there pertaining to the Code Sigining Cert, Chain and Key

  • matwyn Level 1 Level 1 (10 points)

    output it to a file like you said;


    serveradmin settings devicemgr >> path_to_file


    Modify it in TextWrangler etc and then push it back in doing the opposite


    serveradmin settings devicemgr < path_to_file



  • matwyn Level 1 Level 1 (10 points)

    You're welcome, let me how know how you get on.



  • Eric Kaiser1 Calculating status...

    I had a similar problem.  I deleted any existing profiles then connected the MBP to the same LAN as the server via wired ethernet.  I downloaded the Trust Profile via the web interface, then enrolled the rest of the profiles.  Worked for me, and I was receiving the exact same error message dialog box.

1 2 Previous Next


More Like This

  • Retrieving data ...

Bookmarked By (7)


  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.