Previous 1 2 Next 26 Replies Latest reply: Nov 4, 2013 4:25 PM by Phil_O
The Teknologist Level 1 (15 points)

n my case I can install profiles on devices from Profile Manager page but I cannot enroll devices.


The certificate I download to enroll is reject by my MacBook Pro Lion: Says Invalid blablabla at the end:


Screen Shot 2011-07-29 at 2.12.46 AM.PNG


Now I have done log research and I now exactly and understand why it doesn't work:


the scep_helper daemon is supposed to listen to port 1640 TCP (which you should forward to your server by the way, if you want to be able to enroll devices) and provide the requsting client the root CA that signed the certificate. In my case, it can't find the root CAT to provide the client with so it can finalize the cert validation process.


In my case, that's what I see in the log:


Jul 29 02:12:44 teknologism scep_helper[1638]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:727 'status = SCEPGetCACert(session, NULL, 0)' = -25300

Jul 29 02:12:44 teknologism scep_helper[1638]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:513 'SCEPGetCACert(session, NULL, 0)' = -25300

Jul 29 02:12:44 teknologism scep_helper[1638]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:819 'challenge = GetChallengeFromSCEP(password, guid, hostURL)' is NULL

Jul 29 02:12:44 teknologism ProfileManager[516]: Could not retrieve root certificate from open directory server.



No , as for the bad news: I have no idea on how to fix. Have dug into scep_helper, googled etc. Not a single clue on how to check it's configuration or even why it can't find the root CA. By the way everyhting else (I really mean everything, ical,cardav,web,wiki etc.) work great. And profile manager too, it's just the enroll thingy that doesn't work. And the root CA cert is in /etc/certificates. My server a legit Class 1 SSL cert signed by a system trsuted CA (Startfiel to name it)


I have tried with other certs etc... It's a no go.


Can anyone help ??


How can I add that missing CA Cert in opendirectory ?

Mac OS X (10.7)
  • applepai Level 1 (0 points)

    I have the same issue. Been looking for a solution also.

  • The Teknologist Level 1 (15 points)

    Well, what drives me nuts is that I know exactly why it doesn't work but can't fix it because of lack of documentation....


    pretty amazing for a system based on opensource stacks/libs/frameworks if you ask me...


    If anyone has some pointers for scep_helper docs / config please let me know...


    i'll probably try looking in the Mac Developper center @ apple...

  • matwyn Level 1 (10 points)

    If you go to the mydevices page under profiles there is the Trust Profile for....  You need to download that, isntall it in the System keychain (in Lion, just install it in iOS) and then you'll be able to enroll your devices/Macs. 


    It's because for SCEP, and indeed MDM, to work both parties need to trust each other, and with a self-signed certificate like you have here (and indeed everyone does unless they buy one) the only eay to achieve that trust is to download the cert first.


    Hope that helps!

  • applepai Level 1 (0 points)

    Matwyn, I've done as you've said with the same failed result. I'm shaking my head as to why.

  • The Teknologist Level 1 (15 points)

    Hi matwyn,


    I hasn't noticed you replied to this post too. Are you tracking me ? ;-)


    Please read m'y post carefully.


    I have a legit purchased cert (their root CA is already bundled in 99% of oses and browsers) no need to add CA. I did clearly mention it in the post.



    I think that what happens is that the intermediate certificate generated for code signing was generated at the time i used a self signed ( just after the install)


    When i switched to my purchased certificate, everything changed except that the code signing certificate is still used to sign profiles and as I deleted the old self signed certificates, it can't find the self signer CA anymore....


    I have created a new codesigning cert but my ProfileManager pane is freezed on "loading..." as i posted in another discussion so can't switch the signing to that new cert....


    Any way to do the profilemanager in command line ?


    I am pretty sure I just need to switch the code signing certificate, but can't find how to do it in command line...


    Anyone ?

  • matwyn Level 1 (10 points)

    Ok, I'll assume nothing from now on.  Have you run ;


    serveradmin settings devicemgr


    to see what output you get from it? There should be 3 entries in there pertaining to the Code Sigining Cert, Chain and Key

  • The Teknologist Level 1 (15 points)

    You just gave me an idea.


    I will try editing saving the output to a file settings.txt


    Edit it by hand to change it to my new codesigning cert and load it


    Do,i load it with redirection ? :


    serveradmin settings<settinsgmodified.txt



    is there any way to load those changed settings  ?


    Thx for your help !

  • matwyn Level 1 (10 points)

    output it to a file like you said;


    serveradmin settings devicemgr >> path_to_file


    Modify it in TextWrangler etc and then push it back in doing the opposite


    serveradmin settings devicemgr < path_to_file



  • The Teknologist Level 1 (15 points)



    I am going to try that tomorrow and i'll update here on the outcome!


    Hope it won't break everything. Everytime i change some setting on lion server i prey it won't go crazy.


    The lion is very fragile. How much of a nonsense is that ! ;-)



    Thanks for giving me the idea Matt!

  • matwyn Level 1 (10 points)

    You're welcome, let me how know how you get on.



  • The Teknologist Level 1 (15 points)

    Well it's a no go...


    teknologism:root root# serveradmin settings < ./devicemgr.settings

    2011-07-29 15:40:01.022 serveradmin[19480:307] Exception in doCommand for module servermgr_devicemgr on thread 0x7fa609416b20: *** -[NSConcreteFileHandle fileDescriptor]: unknown error

    2011-07-29 15:40:01.023 serveradmin[19480:307] --request was {

        command = writeSettings;

        configuration =     {

            CodeSigningAuthorityChain = "/etc/certificates/ Code Signing.9B56B51A18C3E27E01A624E5B53E18065477E641.chain.pem";

            CodeSigningCertificate = "/etc/certificates/ Code Signing.9B56B51A18C3E27E01A624E5B53E18065477E641.cert.pem";

            CodeSigningPrivateKey = "/etc/certificates/ Code Signing.9B56B51A18C3E27E01A624E5B53E18065477E641.key.pem";



  • The Teknologist Level 1 (15 points)

    Here is some more infos...


    teknologism:root root# serveradmin settings devicemgr

    devicemgr:SSLAuthorityChain = "/etc/certificates/ 91FE.chain.pem"

    devicemgr:od_active = yes

    devicemgr:ssl_active = yes

    devicemgr:enableCodeSigning = yes

    devicemgr:updated_at = 2011-07-28 16:04:52 +0000

    devicemgr:email_delivery_method = ""

    devicemgr:CodeSigningPrivateKey = "/etc/certificates/ Code Signing Certificate.ED29CE4BD9D2926D64E60EF7A117EFDB2213F0CC.key.pem"

    devicemgr:apns_active = yes

    devicemgr:CodeSigningAuthorityChain = "/etc/certificates/ Code Signing Certificate.ED29CE4BD9D2926D64E60EF7A117EFDB2213F0CC.chain.pem"

    devicemgr:default_profile_created_at_least_once = yes = yes = yes = yes = yes = yes

    devicemgr:email_authentication = ""

    devicemgr:email_port = 25

    devicemgr:email_username = ""

    devicemgr:id = 1

    devicemgr:last_modified_guid = ""

    devicemgr:SSLPrivateKey = "/etc/certificates/ 91FE.key.pem"

    devicemgr:od_master = ""

    devicemgr:apns_topic = ""

    devicemgr:email_password = ""

    devicemgr:mdm_acl = 2047

    devicemgr:user_timeout = 43200

    devicemgr:server_organization = ""

    devicemgr:SSLCertificate = "/etc/certificates/ 91FE.cert.pem"

    devicemgr:created_at = 2011-07-24 11:47:33 +0000

    devicemgr:email_address = ""

    devicemgr:email_domain = ""

    devicemgr:CodeSigningCertificate = "/etc/certificates/ Code Signing Certificate.ED29CE4BD9D2926D64E60EF7A117EFDB2213F0CC.cert.pem"

    devicemgr:email_server_address = ""

    devicemgr:admin_session = ""





    The 3 CodeSigning certs/keys are in /etc/certificates and their permissions are correct.


    Also, don't ask me why but my ProfileManager pane in is working again. It shows all the config...but can't modify soon as I try to modify it spins the waiting whell forever... I guess it's the same error as command line serveradmin...

  • The Teknologist Level 1 (15 points)

    Digging a bit further  it deosn't seem to be any problem with my OD config. Bothe CA certs are there.

    1 for the ssl connections (

    1 for the code signing (IntermediateCA_TEKNOLOGISM...)


    Screen Shot 2011-07-30 at 7.35.19 PM.PNG


    Does anyone have a clue ?

  • Eric Kaiser1 Level 1 (10 points)

    I had a similar problem.  I deleted any existing profiles then connected the MBP to the same LAN as the server via wired ethernet.  I downloaded the Trust Profile via the web interface, then enrolled the rest of the profiles.  Worked for me, and I was receiving the exact same error message dialog box.

Previous 1 2 Next