PKI certificates fail to create "Returned certificate is not signed by specified CA"


#1

Issue:
When deploying PKI certificate deployment is un-successful

Following error message seen when looking into Device -> Delivery Groups

Mobileconfig sent : PKI Test Policy (Command preparation failed: java.lang.RuntimeException: Could not create mobileconfig PKI Test Policy)

Following error is seen in the XMS logs

Caused by: java.lang.IllegalStateException: Returned certificate is not signed by specified CA: PublicKeyCertificate[{CN=test, DC=test, DC=local}, serial=12345567890, trusted=false, issuer=null]

Cause:
The serial number of the certificate that has singed the CSR does not match the serial number that XenMobile expects.
This is due to a wrong Issuing CA certificate being selected in
Settings -> Credential Providers -> your credential provider -> Distribution

Resolution:
Check the serial number of the serial number of the “issuing” certificate of your CA against the serial number in XenMobile, if mismatched do the following

  1. Upload the issuing certificate into the certificate store on XenMobile (uploading as “Server” certificate should be sufficent)
  2. Go to Settings -> PKI Entities -> Modify your PKI Entity -> CA Certificates and select the new certificate
  3. Go to Settings -> Credential Providers -> your credential provider -> Distribution and select the new certificate in the Issuing CA certificate dropbox

Citrix article available here:
https://support.citrix.com/article/CTX220206