IOS8 OTA SCEP enrollment fails on second install

I have a profile and SCEP server that have been working fine for several years now. However on devices running IOS8 or higher the SCEP enrollment fails if it is done a second time (different certificate). The OTA Certificate enrollment process works on IOS7 devices as many times as needed.

relevant IOS7 log for a second certificate installation based on the same config/ca/signing cert etc.:

profiled[1397] <Notice>: (Note ) MC: Retrieving profile from OTA Profile service...

profiled[1397] <Notice>: (Note ) MC: Received final profile: com.myConfig.profile

profiled[1397] <Notice>: (Note ) MC: Beginning profile installation...

<Notice>: (Note ) MC: Profile “com.myConfig.profile” is replacing an existing profile having the same identifier.

securityd[1349] <Error>: SecDbItemInsertOrReplace INSERT failed: The operation couldn’t be completed. (com.apple.utilities.sqlite3 error 19 - reset: [19] columns ctyp, issr, slnr, agrp, sync are not unique sql: INSERT INTO cert(rowid,cdat,mdat,ctyp,cenc,labl,alis,subj,issr,slnr,skid,pkhh,data,agrp,pdm n,sync,tomb,sha1)VALUES(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?))

securityd[1349] <Error>: securityd_xpc_dictionary_handler profiled[1397] add The operation couldn’t be completed. (OSStatus error -25299 - duplicate item O,cert,85233947,L,dku,apple,0,ctyp,cenc,labl,subj,issr,slnr,pkhh,v_Data,2015030 3054909.447036Z,CF75A17F)

profiled[1397] <Error>: SecOSStatusWith error:[-25299] The operation couldn’t be completed. (OSStatus error -25299 - Remote error : The operation couldn‚Äôt be completed. (OSStatus error -25299 - duplicate item O,cert,85233947,L,dku,apple,0,ctyp,cenc,labl,subj,issr,slnr,pkhh,v_Data,2015030 3054909.447036Z,CF75A17F))

profiled[1397] <Notice>: (Note ) MC: Attempting to retrieve issued certificate...

securityd[1349] <Error>: CFPropertyListReadFromFile file file:///Users/Library/Developer/CoreSimulator/Devices/9B6A7852-9C11-4FCC-8327-E 1BD33EA7CF5/data/Library/Keychains/accountStatus.plist: The operation couldn’t be completed. (Cocoa error 260.)

<Notice>: (Note ) MC: Issued certificate received.

securityd[1349] <Error>: SecDbItemInsertOrReplace INSERT failed: The operation couldn’t be completed. (com.apple.utilities.sqlite3 error 19 - reset: [19] columns kcls, klbl, atag, crtr, type, bsiz, esiz, sdat, edat, agrp, sync are not unique sql: INSERT INTO keys(rowid,cdat,mdat,kcls,labl,alis,perm,priv,modi,klbl,atag,crtr,type,bsiz,esi z,sdat,edat,sens,asen,extr,next,encr,decr,drve,sign,vrfy,snrc,vyrc,wrap,unwp,dat a,agrp,pdmn,sync,tomb,sha1)VALUES(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?, ?,?,?,?,?,?,?,?,?,?,?,?,?))

securityd[1349] <Error>: securityd_xpc_dictionary_handler profiled[1397] add The operation couldn’t be completed. (OSStatus error -25299 - duplicate item O,keys,0CC69ECD,L,dku,apple,0,kcls,labl,perm,priv,modi,klbl,atag,crtr,type,bsiz ,esiz,sdat,edat,sens,asen,extr,next,encr,decr,drve,sign,vrfy,snrc,vyrc,wrap,unwp ,v_Data,20150303054921.112843Z,344A0836)

<Error>: SecOSStatusWith error:[-25299] The operation couldn’t be completed. (OSStatus error -25299 - Remote error : The operation couldn‚Äôt be completed. (OSStatus error -25299 - duplicate item O,keys,0CC69ECD,L,dku,apple,0,kcls,labl,perm,priv,modi,klbl,atag,crtr,type,bsiz ,esiz,sdat,edat,sens,asen,extr,next,encr,decr,drve,sign,vrfy,snrc,vyrc,wrap,unwp ,v_Data,20150303054921.112843Z,344A0836))

profiled[1397] <Notice>: (Note ) MC: Profile “com.myConfig.profile” installed.

profiled[1397] <Notice>: (Note ) MC: Removing certificate with persistent ID 636572740000000000000005

securityd[1349] <Error>: CFPropertyListReadFromFile file file:///Users/Library/Developer/CoreSimulator/Devices/9B6A7852-9C11-4FCC-8327-E 1BD33EA7CF5/data/Library/Keychains/accountStatus.plist: The operation couldn’t be completed. (Cocoa error 260.)

<Notice>: (Note ) MC: Removing certificate with persistent ID 69646e740000000000000006

profiled[1397] <Notice>: (Note ) MC: Removing certificate with persistent ID 69646e740000000000000007

profiled[1397] <Notice>: (Note ) MC: Removing certificate with persistent ID 69646e740000000000000001

profiled[1397] <Notice>: (Note ) MC: Removing certificate with persistent ID 69646e740000000000000004

Under IOS8 the initial enrollment and profile installation works. However on any subsequent enrollments the following error is thrown:

profiled[2253]: (Note ) MC: Checking for MDM installation...

profiled[2253]: (Note ) MC: ...finished checking for MDM installation.

profiled[2253]: (Note ) MC: Enrolling in OTA Profile service...

profiled[2253]: SecTrustEvaluate [leaf AnchorTrusted]

securityd[1617]: securityd_xpc_dictionary_handler profiled[2253] add The operation couldn’t be completed. (OSStatus error -25299 - duplicate item O,cert,688B8CB6,L,dku,com.apple.certificates,0,ctyp,cenc,labl,subj,issr,slnr,pk hh,v_Data,20150303080953.465563Z,6CDCA2CB)

profiled[2253]: SecOSStatusWith error:[-25299] The operation couldn’t be completed. (OSStatus error -25299 - Remote error : The operation couldn‚Äôt be completed. (OSStatus error -25299 - duplicate item O,cert,688B8CB6,L,dku,com.apple.certificates,0,ctyp,cenc,labl,subj,issr,slnr,pk hh,v_Data,20150303080953.465563Z,6CDCA2CB))

profiled[2253]: SecTrustEvaluate [leaf AnchorTrusted]

profiled[2253]: (Note ) MC: Attempting to retrieve issued certificate...

profiled[2253]: SecTrustEvaluate [leaf AnchorTrusted ValidLeaf ValidRoot]

profiled[2253]: (Note ) MC: Issued certificate received.

securityd[1617]: securityd_xpc_dictionary_handler profiled[2253] add The operation couldn’t be completed. (OSStatus error -25299 - duplicate item O,cert,B7CCBFFA,L,dku,com.apple.identities,0,ctyp,cenc,labl,subj,issr,slnr,pkhh ,v_Data,20150303080954.973098Z,0A162218)

profiled[2253]: SecOSStatusWith error:[-25299] The operation couldn’t be completed. (OSStatus error -25299 - Remote error : The operation couldn‚Äôt be completed. (OSStatus error -25299 - duplicate item O,cert,B7CCBFFA,L,dku,com.apple.identities,0,ctyp,cenc,labl,subj,issr,slnr,pkhh ,v_Data,20150303080954.973098Z,0A162218))

profiled[2253]: *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '*** setObjectForKey: key cannot be nil'

*** First throw call stack:

(

0 CoreFoundation 0x00000001057cff35 __exceptionPreprocess + 165

1 libobjc.A.dylib 0x0000000107deebb7 objc_exception_throw + 45

2 CoreFoundation 0x00000001056d6998 -[__NSDictionaryM setObject:forKey:] + 968

3 profiled 0x0000000105222227 profiled + 209447

4 profiled 0x000000010522297a profiled + 211322

5 libdispatch.dylib 0x0000000108554af4 _dispatch_client_callout + 8

6 libdispatch.dylib 0x000000010853eabb _dispatch_barrier_sync_f_invoke + 76

7 profiled 0x00000001052228f7 profiled + 211191

8 profiled 0x00000001052360e0 profiled + 291040

9 profiled 0x0000000105236a4d profiled + 293453

10 profiled 0x000000010523c60b profiled + 316939

11 profiled 0x00000001051f29ef profiled + 14831

12 libdispatch.dylib 0x000000010853aaf6 _dispatch_call_block_and_release + 12

13 libdispatch.dylib 0x0000000108554af4 _dispatch_client_callout + 8

14 libdispatch.dylib 0x000000010853f8cf _dispatch_queue_drain + 733

15 libdispatch.dylib 0x000000010853f494 _dispatch_queue_invoke + 217

16 libdispatch.dylib 0x00000001085413fa _dispatch_root_queue_drain + 479

17 libdispatch.dylib 0x00000001085422c9 _dispatch_worker_thread3 + 98

18 libsystem_pthread.dylib 0x00000001088d4637 _pthread_wqthread + 729

19 libsystem_pthread.dylib 0x00000001088d240d start_wqthread + 13

)

The error occurs as the SCEP server sends the IOS8 device the response to GetCaCert which is a static ca cert that doesn't change. I also tried deleting the installed profile before installing again but this doesn't change the observed behavior. Only a reset will allow the profile installation to succeed.

Does anybody have any ideas?