After configuring Client Certificate Authentication for XMS but you do not see an issued certificate on the Issuing Server

2016-08-18T12:49:32.19+0200 |   | ERROR | http-nio-10443-exec-8 | EWSession | Exception on certificate issuer
com.zenprise.zdm.pki.spi.IssuingServiceException: Could not sign CSR
    at com.zenprise.zdm.pki.internal.util.AbstractIssuingAdapter.issueDirect(AbstractIssuingAdapter.java:147)
    at com.zenprise.zdm.pki.internal.util.AbstractIssuingAdapter.issueCredential(AbstractIssuingAdapter.java:92)
    at com.sparus.nps.admin.impl.drivers.provisioning.CertXmlProvDeployAction.generateCertificate(CertXmlProvDeployAction.java:322)
    at com.sparus.nps.admin.impl.drivers.provisioning.CertXmlProvDeployAction.injectCertificate(CertXmlProvDeployAction.java:899)
    at com.sparus.nps.admin.impl.drivers.provisioning.CertXmlProvDeployAction.getNewCertContent(CertXmlProvDeployAction.java:984)
    at com.sparus.nps.callbacks.XmlProvCertDeployAction.getContent(XmlProvCertDeployAction.java:94)
    at com.sparus.nps.callbacks.XmlProvWithCertsCallback.buildXmlCommand(XmlProvWithCertsCallback.java:524)
    at com.sparus.nps.callbacks.XmlProvWithCertsCallback.buildXmlCommands(XmlProvWithCertsCallback.java:502)
    at com.sparus.nps.callbacks.XmlProvWithCertsCallback$2.call(XmlProvWithCertsCallback.java:279)
    at com.sparus.nps.callbacks.XmlProvWithCertsCallback$2.call(XmlProvWithCertsCallback.java:276)
    at com.sparus.nps.util.CallableInSession$Wrapper.callInSession(CallableInSession.java:217)
    at com.sparus.nps.util.CallableInSession.call(CallableInSession.java:146)
    at com.sparus.nps.callbacks.XmlProvWithCertsCallback.digest0(XmlProvWithCertsCallback.java:282)
    at com.sparus.nps.callbacks.XmlProvWithCertsCallback$1.run(XmlProvWithCertsCallback.java:164)
    at com.sparus.nps.util.TaskInSession$Wrapper.runInSession(TaskInSession.java:216)
    at com.sparus.nps.util.TaskInSession.run(TaskInSession.java:136)
    at com.sparus.nps.callbacks.XmlProvWithCertsCallback.process(XmlProvWithCertsCallback.java:173)
    at com.sparus.nps.callbacks.XmlProvWithCertsCallback.process(XmlProvWithCertsCallback.java:63)
    at com.sparus.nps.ServiceResponseBroker.invokeCallback(ServiceResponseBroker.java:338)
    at com.sparus.nps.device.services.impl.DefaultServiceResponseProcessor.handlePacket(DefaultServiceResponseProcessor.java:21)
    at com.sparus.nps.NPCBroker.notifyPacketReceived(NPCBroker.java:88)
    at com.sparus.nps.shtp.StartRequest.receivePacketsAsynchronously(StartRequest.java:294)
    at com.sparus.nps.shtp.StartRequest.receivePackets(StartRequest.java:373)
    at com.sparus.nps.shtp.StartRequest.eventRead(StartRequest.java:328)
    at com.sparus.nps.Halley.read(Halley.java:327)
    at com.sparus.nps.Halley.event(Halley.java:95)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilterEvent(ApplicationFilterChain.java:482)
    at org.apache.catalina.core.ApplicationFilterChain.doFilterEvent(ApplicationFilterChain.java:375)
    at org.apache.catalina.core.StandardWrapperValve.event(StandardWrapperValve.java:409)
    at org.apache.catalina.core.StandardContextValve.event(StandardContextValve.java:145)
    at org.apache.catalina.valves.ValveBase.event(ValveBase.java:222)
    at org.apache.catalina.core.StandardHostValve.event(StandardHostValve.java:262)
    at org.apache.catalina.valves.ValveBase.event(ValveBase.java:222)
    at org.apache.catalina.core.StandardEngineValve.event(StandardEngineValve.java:136)
    at org.apache.catalina.connector.CoyoteAdapter.event(CoyoteAdapter.java:212)
    at org.apache.coyote.http11.Http11NioProcessor.event(Http11NioProcessor.java:119)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:619)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1783)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1740)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)
Caused by: com.sparus.nps.pki.CertificateSigningException: Could not sign certificate
    at com.zenprise.zdm.pki.util.MsCertSrvSigningService.signRequest(MsCertSrvSigningService.java:107)
    at com.zenprise.zdm.pki.util.CredentialCaFactory$CredentialCa.sign(CredentialCaFactory.java:204)
    at com.zenprise.zdm.pki.internal.util.AbstractIssuingAdapter.issueDirect(AbstractIssuingAdapter.java:137)
    ... 42 more
Caused by: java.io.IOException: Could not obtain certificate (template=XenmobileTest). Reason: The format of the specified domain name is invalid. 0x800704bc (WIN32: 1212)    
    at com.sparus.nps.pki.connector.MsCertSrvConnector.generateClientIdentity0(MsCertSrvConnector.java:268)
    at com.sparus.nps.pki.connector.MsCertSrvConnector.generateClientIdentity(MsCertSrvConnector.java:207)
    at com.zenprise.zdm.pki.util.MsCertSrvSigningService.signRequest(MsCertSrvSigningService.java:90)

If you see this error within the Debug Log File, verify that the Service Account User Certificate that was imported into XMS has the full Subject and Domain name and both are correct. You can check this on the XMS under Settings >PKI Entities >General against the Service Account in AD



If not, re-create the Service Account User Certificate and import into XMS, remember to link the Root CA and Intermediate Certificate to the Service Account User Certificate before doing so

---

Problem Cause

Incorrect Subject/Domain name request to Issuing Server

After configuring Client Certificate Authentication for XMS but you do not see a Client Certificate issued on the Issuing Server

XenMobile – Configure Certificate Based Authentication
https://www.citrix.com/blogs/2013/12/10/xenmobile-configure-certificate-based-authentication/