<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta System Logs Showing the Error "FAILURE: Error while issuing a ClientCertificate via delegated SCEP"
May 30, 2025
Devices and Mobility
Okta Identity Engine
Overview

Checking Okta System Logs, the below error might be seen after implementing the SCEP Certificate via Microsoft Intune (formerly Microsoft Endpoint Manager).

 

Okta System (SystemPrincipal)
Issue client certificate
FAILURE: Error while issuing a ClientCertificate via delegated SCEP

 

    Applies To
    • Okta Identity Engine (OIE)
    • Microsoft Intune / Microsoft Endpoint Manager (MEM)
    • Device Trust 2.0 / Device Integrations
    Cause
    Possible Reasons: 
    

    • Client secret keys for app '[application Client ID]' are expired.
    • An invalid client secret was provided.
    • A Feature Flag needs to be enabled to validate Okta as a CA. (Applicable with Microsoft InTune GCC High).
    • The underlying reason was the application permissions in Azure Active Directory. 
    Solution
    Solution 1
    

    Client secret keys for app '[application Client ID]' are expired.
    

    1. Log in to the Azure portal to generate new keys.
    2. Check the expiration date of the Okta application from Task1.5.e. from the Configure Okta as a CA with delegated SCEP challenge for Windows using MEM (formally Intune) documentation.
    

    If it is needed to generate a new one. The new value will need to be added in Task2.6.c of the configuration and the new SCEP URL in Task5.6.j.

    Owened application 

    Certificates & secrets 


    

    Solution 2
    

    An invalid client secret was provided.
    

    1. Log in to the Azure portal.
    2. From Task1.5.e, please copy the Client Secret Value and not the Secret ID. These are the same values that need to be entered via Okta. 
    

    Intune:

    Value 

    Okta:

    AAD secret 

     
    

    If the troubleshooting steps above do not help resolve the issue, please contact Okta Support and provide the Request ID where this error is seen in Okta System Logs: "FAILURE: Error while issuing a ClientCertificate via delegated SCEP." including the specific timestamp.
    

     
    

    

    Solution 3
    

    If an administrator is attempting to configure Dynamic SCEP Intune for a GCC High O365 tenant but is getting the error, please contact Okta Support and reference this knowledge article. 
    

    A Feature Flag needs to be enabled to validate Okta as a CA with Microsoft InTune GCC High.
    

     
    

    Solution 4
    

    The following error occurred while using the delegated Simple Certificate Enrollment Protocol (SCEP) to issue a client certificate: 
    

     
    

    Insufficient privileges to complete the operation.
    

     
    

    For more information, please see this solution: Error While Issuing a ClientCertificate via Delegated SCEP.
    

    

     
    

    Recommended content
    Still looking for help?
    Loading
    Okta System Logs Showing the Error "FAILURE: Error while issuing a ClientCertificate via delegated SCEP"