Android and certs

ctchia · August 28, 2018, 6:25am

We deploy a cert with our wifi payload. With iOS devices, from a certificate authority view you see 1 cert issued and on the device you see 1 cert installed. We have just introduced Samsung A8 into our environment and when enrolling, notice from the CA 3 certs are issued but on the device see only 1. Is this normal?Thanks

adam · August 28, 2018, 8:22am

Yes. The ‘extra’ 2 are most likely your root+signing CA certs. These are not displayed enrolling iOS

ctchia · August 29, 2018, 3:18am

Hi Adam, thanks, so it’s not really 3 of the same client cert that it’s deploying, but the full chain. Am I understanding this correctly?

daniil_michine · August 29, 2018, 4:32am

When you saying you see 3 CA certs issued, where are you seeing this? Are you seeing this on PKI or within your MDM console?

ctchia · August 29, 2018, 4:58am

Hi Daniil, on the CA console itself, not MDM

daniil_michine · August 29, 2018, 5:01am

This may be timing/connection related. i.e. the first certificate does not arrive on time so MDM attempts to issue the cert again.

Compare the serial numbers to see what certificate actually ends up on your device (I assume it is the last one).

ctchia · August 29, 2018, 6:23am

yes on the device, we just see 1 cert

ctchia · August 30, 2018, 1:59am

sorry I think I misread your question the first time. The serial numbers of the 3 certs are all different.

daniil_michine · August 30, 2018, 4:32am

From the screenshot you provided the CA is being asked 3 times to issue a certificate to a device for the same purpose.

As you can see there are 3 certificates (in sequence) being issued within seconds of each other using the same user account and template.

The serial numbers are unique. However if you looking at request ID you can see that the 3 certificate are issued in sequence.

If you check the serial number of the certificate that is installed on the device does that match the last certificate in the sequence?

There are a lot of factors here that can be causing this to happen, latency, type of device, method of requesting certificates.

As long as only one cert ends up on the device this is not really an issue, just additional records appearing in the PKI console.
Challenges may be around certificate revocation as you would have to identify the certificate to revoke (or all certs can just be revoked).

adam · September 6, 2018, 2:25pm

Oh, those are actually client certs. Check you don’t have the SCEP config embedded in WiFi as well as pushed out to a label and embedded in email as well, for example - or check the box that caches the certs on Core perhaps.

ctchia · September 18, 2018, 4:05am

Hi Daniil

That’s the thing, on the device (Samsung A8), I can’t tell what serial no. is on it to match up with what I see on the CA.

Hi Adam

yes client certs, we don’t use SCEP.