• Verify the key length requirements and configuration on both the client and server sides before attempting to generate new certificates.
• Ensure that the SCEP agent and relevant services are restarted after making changes to the certificate configuration.

This error is likely caused by a mismatch in the certificate key length. If you have recently changed the certificate signatures from 2k (2048-bit) to 4k (4096-bit), the issue may occur under the following conditions:

• Using TPM (Trusted Platform Module):
  TPM only supports 2k (2048-bit) certificates. If you switch to 4k certificates, TPM-based systems will fail to generate the new client certificate.

• Not Using TPM:
  If you are not using TPM and the SCEP server is configured to use 4k certificates, the SCEP client should also be configured to use 4k certificates (default key length is 2048-bit). A mismatch between the server and client configurations can result in this error.

1. If Using TPM:

   • Ensure that the server is configured to use 2k (2048-bit) certificates, as TPM modules do not support 4k certificates.

2. If Not Using TPM:

   • Ensure that both the SCEP client and SCEP server are configured to use the same certificate key length (either 2k or 4k).
   • If the server is set to use 4k certificates, you must adjust the SCEP client configuration to use 4k as well.

   Note: By default, the SCEP client uses 2048-bit keys, so manual configuration is required to match 4k if that's the server setting.

When using 2k (2048-bit) signatures and attempting to obtain a new certificate through the SCEP agent, you may encounter the following error message:

This issue arises when a new client certificate is expected but not created.