Endpoint Management | Issues deploying Credential policy with Discretionary CA - PKIs

Endpoint Management | Issues deploying Credential policy with Discretionary CA - PKIs

book

Article ID: CTX322737

calendar_today

Updated On:

Description

After trying to deploy a credential policy, the device Assigned Policies* section shows the following error from the Failed Column:

*Path: Dashboard > Manage > Devices > %Device% > Edit > Assigned Policies
 

image.png


- Type: Credentials
- Comment: Command preparation failed: com.sparus.nps.iphone.mobileconfig.MobileConfigException: Could not create mobile config xxxxxxxxxxxx


- Device SecureHub Log Errors:
 

Line 83: " 2021-07-21T16:25:17.053-0500 ",<MAM>,DEBUG1 (6),-[CertificateManagerInterface getClientCertCredentialsOutCertificateID:],"SecPKCS12Import failed with -26275",-,com.citrix.me_at_work_certificatemanagerInterface_dispatch_queue,ea13,Secure Hub,/Users/jenkins/jenkins/workspace/iOS_SecureHub/AppStore/MDM/Common/Source/CertificateManagement/CertificateManagerInterface.m,331

Line 84: " 2021-07-21T16:25:17.053-0500 ",<MAM>,DEBUG1 (6),-[CertificateManagerInterface getClientCertCredentialsOutCertificateID:],"mdmProvidedClientCertificateCredential failed and returning nil",-,com.citrix.me_at_work_certificatemanagerInterface_dispatch_queue,ea13,Secure Hub,/Users/jenkins/jenkins/workspace/iOS_SecureHub/AppStore/MDM/Common/Source/CertificateManagement/CertificateManagerInterface.m,340

Line 84: " 2021-07-21T16:25:17.053-0500 ",<MAM>,DEBUG1 (6),-[CertificateManagerInterface getClientCertCredentialsOutCertificateID:],"mdmProvidedClientCertificateCredential failed and returning nil",-,com.citrix.me_at_work_certificatemanagerInterface_dispatch_queue,ea13,Secure Hub,/Users/jenkins/jenkins/workspace/iOS_SecureHub/AppStore/MDM/Common/Source/CertificateManagement/CertificateManagerInterface.m,340

- Errors in Citrix Endpoint Management logs:


2021-07-21T21:59:35.309+0000 | "user.id=xxxxxxx" "session.id=" "client.ip=xxx.xxx.xxx.xxx" "push.info=[UID=xxxxx,usr=xxxxx@xxx.xx.xxx.xx,dev=xxxxx]" "transaction.id=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx" | ERROR | http-nio-10080-exec-7 | com.sparus.nps.apple.push.ApplePush | Command preparation threw an Exception. Skipping command: type=InstallProfile, identifier=com.zenprise.zdm.push.apple.InstallProfile.ServiceMasterDeployUserCert, description=Installs profile 'UserCert' on the device com.sparus.nps.iphone.mobileconfig.MobileConfigException: Could not create mobile config ServiceMasterDeployUserCert
    at com.sparus.nps.iphone.mobileconfig.MobileConfig.toPList(MobileConfig.java:477) ~[nps.jar:?]
    at com.sparus.nps.apple.push.commands.InstallProfileCommand.asBinary(InstallProfileCommand.java:329) ~[nps.jar:?]
    at com.sparus.nps.apple.push.commands.InstallProfileCommand.prepare(InstallProfileCommand.java:278) ~[nps.jar:?]
    at com.sparus.nps.apple.push.ApplePush.sendNextCommand(ApplePush.java:764) [nps.jar:?]
    at com.sparus.nps.apple.push.ApplePush.handleNotNow(ApplePush.java:630) [nps.jar:?]
    at com.sparus.nps.apple.push.ApplePush.process0(ApplePush.java:542) [nps.jar:?]
    at com.sparus.nps.apple.push.ApplePush.process(ApplePush.java:467) [nps.jar:?]
    at com.sparus.nps.ios.push.MdmServlet.doPut(MdmServlet.java:456) [nps.jar:?]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:651) [servlet-api.jar:?]
    at com.sparus.nps.context.HttpServletWithActionContext.service(HttpServletWithActionContext.java:18) [nps.jar:?]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) [servlet-api.jar:?]
    ... suppressed 2 lines
    at com.zenprise.security.securityfilter.IpFilter.doFilter(IpFilter.java:57) [nps.jar:?]
    ... suppressed 2 lines
    at com.github.ziplet.filter.compression.CompressingFilter.doFilter(CompressingFilter.java:304) [ziplet-2.1.2.jar:?]
    ... suppressed 2 lines
    at org.springframework.orm.hibernate5.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:156) [spring-orm-5.3.7.jar:5.3.7]
    ... suppressed 3 lines
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat-websocket.jar:8.0.53]
    ... suppressed 6 lines
    at com.zenprise.zdm.util.tomcat.ParamDecoderFilter.doFilter(ParamDecoderFilter.java:52) [nps.jar:?]
    ... suppressed 2 lines
    at com.sparus.servlet.filter.HTTPRequestEncodingFilter.doFilter(HTTPRequestEncodingFilter.java:30) [nps.jar:?]
    ... suppressed 2 lines
    at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176) [urlrewritefilter-4.0.4.jar:4.0.4]
    at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145) [urlrewritefilter-4.0.4.jar:4.0.4]
    at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92) [urlrewritefilter-4.0.4.jar:4.0.4]
    at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:389) [urlrewritefilter-4.0.4.jar:4.0.4]
    ... suppressed 2 lines
    at com.citrix.multi_tenant.filter.MultiTenantHostFilter.doFilter(MultiTenantHostFilter.java:45) [common-interfaces.jar:?]
    ... suppressed 2 lines
    at com.zenprise.security.securityfilter.XmsSecurityFilter.doFilter(XmsSecurityFilter.java:40) [nps.jar:?]
    ... suppressed 9 lines
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1152) [tomcat-coyote.jar:8.0.53]
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684) [tomcat-coyote.jar:8.0.53]
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539) [tomcat-coyote.jar:8.0.53]
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495) [tomcat-coyote.jar:8.0.53]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_262]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_262]
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.0.53]
    at java.lang.Thread.run(Thread.java:748) [?:1.8.0_262]
Caused by: java.lang.IllegalStateException: Could not create payload
    at com.sparus.nps.iphone.payload.PKICredential.toPayloadDict(PKICredential.java:139) ~[nps.jar:?]
    at com.sparus.nps.iphone.mobileconfig.MobileConfig.createPayload(MobileConfig.java:391) ~[nps.jar:?]
    at com.sparus.nps.iphone.mobileconfig.MobileConfig.toPDict(MobileConfig.java:422) ~[nps.jar:?]
    at com.sparus.nps.iphone.mobileconfig.MobileConfig.toPList(MobileConfig.java:473) ~[nps.jar:?]
    ... 62 more
Caused by: com.zenprise.zdm.pki.spi.IssuingServiceException: Could not sign CSR
    at com.zenprise.zdm.pki.internal.util.AbstractIssuingAdapter.issueDirect(AbstractIssuingAdapter.java:150) ~[nps.jar:?]
    at com.zenprise.zdm.pki.internal.util.AbstractIssuingAdapter.issueCredential(AbstractIssuingAdapter.java:95) ~[nps.jar:?]
    at com.sparus.nps.iphone.payload.PKICredential.createPayload(PKICredential.java:90) ~[nps.jar:?]
    at com.sparus.nps.iphone.payload.PKICredential.toPayloadDict(PKICredential.java:136) ~[nps.jar:?]
    at com.sparus.nps.iphone.mobileconfig.MobileConfig.createPayload(MobileConfig.java:391) ~[nps.jar:?]
    at com.sparus.nps.iphone.mobileconfig.MobileConfig.toPDict(MobileConfig.java:422) ~[nps.jar:?]
    at com.sparus.nps.iphone.mobileconfig.MobileConfig.toPList(MobileConfig.java:473) ~[nps.jar:?]
    ... 62 more
Caused by: com.sparus.nps.pki.CertificateSigningException: Could not sign certificate
    at com.zenprise.zdm.pki.util.DiscretionarySigningService.signRequest(DiscretionarySigningService.java:109) ~[nps.jar:?]
    at com.zenprise.zdm.pki.util.CredentialCaFactory$CredentialCa.sign(CredentialCaFactory.java:206) ~[nps.jar:?]
    at com.zenprise.zdm.pki.internal.util.AbstractIssuingAdapter.issueDirect(AbstractIssuingAdapter.java:140) ~[nps.jar:?]
    at com.zenprise.zdm.pki.internal.util.AbstractIssuingAdapter.issueCredential(AbstractIssuingAdapter.java:95) ~[nps.jar:?]
    at com.sparus.nps.iphone.payload.PKICredential.createPayload(PKICredential.java:90) ~[nps.jar:?]
    at com.sparus.nps.iphone.payload.PKICredential.toPayloadDict(PKICredential.java:136) ~[nps.jar:?]
    at com.sparus.nps.iphone.mobileconfig.MobileConfig.createPayload(MobileConfig.java:391) ~[nps.jar:?]
    at com.sparus.nps.iphone.mobileconfig.MobileConfig.toPDict(MobileConfig.java:422) ~[nps.jar:?]
    at com.sparus.nps.iphone.mobileconfig.MobileConfig.toPList(MobileConfig.java:473) ~[nps.jar:?]
    ... 62 more
Caused by: java.security.cert.CertificateException: Signature verification failed!
    at com.zenprise.zdm.pki.util.DiscretionarySigningService.generateCertificate(DiscretionarySigningService.java:492) ~[nps.jar:?]
    at com.zenprise.zdm.pki.util.DiscretionarySigningService.generateForPkcs10Request(DiscretionarySigningService.java:211) ~[nps.jar:?]
    at com.zenprise.zdm.pki.util.DiscretionarySigningService.signRequest(DiscretionarySigningService.java:104) ~[nps.jar:?]
    at com.zenprise.zdm.pki.util.CredentialCaFactory$CredentialCa.sign(CredentialCaFactory.java:206) ~[nps.jar:?]
    at com.zenprise.zdm.pki.internal.util.AbstractIssuingAdapter.issueDirect(AbstractIssuingAdapter.java:140) ~[nps.jar:?]
    at com.zenprise.zdm.pki.internal.util.AbstractIssuingAdapter.issueCredential(AbstractIssuingAdapter.java:95) ~[nps.jar:?]
    at com.sparus.nps.iphone.payload.PKICredential.createPayload(PKICredential.java:90) ~[nps.jar:?]
    at com.sparus.nps.iphone.payload.PKICredential.toPayloadDict(PKICredential.java:136) ~[nps.jar:?]
    at com.sparus.nps.iphone.mobileconfig.MobileConfig.createPayload(MobileConfig.java:391) ~[nps.jar:?]
    at com.sparus.nps.iphone.mobileconfig.MobileConfig.toPDict(MobileConfig.java:422) ~[nps.jar:?]
    at com.sparus.nps.iphone.mobileconfig.MobileConfig.toPList(MobileConfig.java:473) ~[nps.jar:?]
    ... 62 more

Resolution

  • Make sure the certificate you uploaded to the console is a full chain PFX, and not a .CER
 
  • Verify that the correct certificate is selected on the Discretionary PKI properties.

Problem Cause

The issue is caused because the certificate for the Discretionary PKI was uploaded as a client certificate (.CER file) or a Keystroke (.PFX) without selecting to export as a Full Chain certificate. Without the root/intermediate certificate installed, there is no way for Endpoint Management to verify the certificate and issue it to the device.

Additional Information

Discretionary CA: https://docs.citrix.com/en-us/citrix-endpoint-management/authentication/pki-entities.html#discretionary-cas
Powered by Wolken Software