A mismatched root Certificate Authority (CA) certificate configured in the Trusted Certificate Profile on the Mobile Device Management (MDM) causes an error that prevents the successful deployment of Simple Certificate Enrollment Protocol (SCEP) certificates during Device Management implementation. Re-downloading the Okta CA x509 certificate and reconfiguring the Trusted Certificate Profile resolves this issue.
The following errors appear in the Windows Event View Log directory under Applications and Services Logs > Microsoft > Windows > DeviceManagement > Enterprise > Diagnostic > Provider > Admin:
SCEP: Certificate enroll failed. Result: (The hash value is not correct.).
Event ID: 32
Task Category: None
Level: Error
User: DESKTOP-1234567\Oktalab.User
Computer: DESKTOP-1234567
Description:
SCEP: Certificate enroll failed. Result: (The hash value is not correct.).
The following error may precede the previous error:
SCEP: Failed LogError Message : (SCEPInstallCertificateWithScepHelper:Failed to Initialize SCEP enrollment with NDES Server 'https://<OktaSubDomain>.okta.com/<SCEP URL>/pkiclient.exe', CA cert thumbprint 12345678910abcdefghijk1a2b3)
Event ID: 307
Task Category: None
Level: Error
User: DESKTOP-1234567\Oktalab.user
Computer: DESKTOP-1234567
Description:
SCEP: Failed LogError Message : (SCEPInstallCertificateWithScepHelper:Failed to Initialize SCEP enrollment with NDES Server 'https://<OktaSubDomain>.okta.com/<SCEP URL>/pkiclient.exe', CA cert thumbprint 12345678910abcdefghijk1a2b3)- Okta Identity Engine (OIE)
- Mobile Device Management (MDM)
- Simple Certificate Enrollment Protocol (SCEP) Configuration Profile Deployment
- Windows Desktop Operating System (OS)
- Event Viewer Logs
A mismatched root Certificate Authority (CA) certificate configured in the Trusted Certificate Profile on the Mobile Device Management (MDM) deploys to the desktop device as an intermediate certificate; hence, the references to "hash value is not correct" and "CA cert thumbprint" in the errors.
How is the SCEP certificate deployment error resolved?
Re-download the Okta Certificate Authority (CA) x509 certificate or generate a new x509 certificate from the CA, and reconfigure the Trusted Certificate Profile on the Mobile Device Management (MDM) to use the fresh copy of the CA certificate.
Download the Okta CA certificate from the Okta Admin Console, rename the file extension, and upload the certificate to the Trusted Certificate Profile in the MDM.
- In the Okta Admin Console, navigate to Security > Device integrations.
- Select the Certificate Authority tab.
- In the Actions column for Okta CA, select the Download x509 certificate icon.
- Rename the downloaded file to include a .cer extension.
- Upload the certificate (CER file) to the Trusted Certificate Profile in the MDM.
Review the Configure a Certificate Authority manual for instructions on configuring the Trusted Certificate Profile for the MDM, including utilizing a private CA. This manual provides comprehensive instructions to aid in successful implementation:
- For Workspace One for Windows Managed Devices, complete Task 2 and Task 3.
- For MEM (formally Intune) for Windows or MEM (formally Intune) for macOS, complete Task 3 and Task 4.
After reconfiguring the profile with a fresh copy of the CA x509 certificate, redistribute the profile to the desktop endpoints, and check the Event Viewer again to confirm that the errors are clear.
NOTE: Network Device Enrollment Service (NDES) server errors indicate the SCEP procedure fails inside the MDM, outside the purview of Okta. For more information on troubleshooting this process in Microsoft Endpoint Manager (MEM), review Troubleshooting device to NDES server communication for SCEP certificate profiles in Microsoft Intune. Additionally, submit a support request to the MDM provider.
If errors persist after validating the correct CA x509 certificate is configured in the trusted certificate profile, review Troubleshooting Management Attestation For Desktop Devices (OIE) for further troubleshooting advice.
If the issue persists, contact the Okta support team by following the instructions in How to Create a Support Case.
