Android and certs

We deploy a cert with our wifi payload. With iOS devices, from a certificate authority view you see 1 cert issued and on the device you see 1 cert installed. We have just introduced Samsung A8 into our environment and when enrolling, notice from the CA 3 certs are issued but on the device see only 1. Is this normal?Thanks

Yes. The ‘extra’ 2 are most likely your root+signing CA certs. These are not displayed enrolling iOS

Hi Adam, thanks, so it’s not really 3 of the same client cert that it’s deploying, but the full chain. Am I understanding this correctly?

When you saying you see 3 CA certs issued, where are you seeing this? Are you seeing this on PKI or within your MDM console?

Hi Daniil, on the CA console itself, not MDM

This may be timing/connection related. i.e. the first certificate does not arrive on time so MDM attempts to issue the cert again.

Compare the serial numbers to see what certificate actually ends up on your device (I assume it is the last one).

yes on the device, we just see 1 cert

sorry I think I misread your question the first time. The serial numbers of the 3 certs are all different.

From the screenshot you provided the CA is being asked 3 times to issue a certificate to a device for the same purpose.

As you can see there are 3 certificates (in sequence) being issued within seconds of each other using the same user account and template.

The serial numbers are unique. However if you looking at request ID you can see that the 3 certificate are issued in sequence.

If you check the serial number of the certificate that is installed on the device does that match the last certificate in the sequence?

There are a lot of factors here that can be causing this to happen, latency, type of device, method of requesting certificates.

As long as only one cert ends up on the device this is not really an issue, just additional records appearing in the PKI console.
Challenges may be around certificate revocation as you would have to identify the certificate to revoke (or all certs can just be revoked).

Oh, those are actually client certs. Check you don’t have the SCEP config embedded in WiFi as well as pushed out to a label and embedded in email as well, for example - or check the box that caches the certs on Core perhaps.

Hi Daniil

That’s the thing, on the device (Samsung A8), I can’t tell what serial no. is on it to match up with what I see on the CA.

Hi Adam

yes client certs, we don’t use SCEP.