cancel
Showing results for 
Search instead for 
Did you mean: 

[Bug] : Unknow certificate pushed to iOS devices

SOLVED
Building a reputation

[Bug] : Unknow certificate pushed to iOS devices

This case is open since 22 May to support without any answer : Case 02676357

 

Hello,

 

- On iOS  *.meraki.com is push 2 times 
- http://www.valicert.com , what is this certificate ? what kind of affiliation with Meraki ?

 

unnamed (1).jpg

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Meraki Employee

Re: [Bug] : Unknow certificate pushed to iOS devices

Hello,

I checked internally with our support team and were advised that this issue should be resolved. Newly enrolled devices should have their management profile updated should not have the cert in question.

If you are still seeing this behavior or have any additional concerns, I would recommend reaching out to our support team via the usual channel (submit a support case or call into the support hotline). They are lovely people and would be happy to help answer any questions or additional concerns.

Cheers!
-Alex

If this was helpful, click the Kudos button below.
Please mark it as a solution if solved your issue so others can benefit from it Smiley Happy
30 REPLIES 30
Kind of a big deal

Re: [Bug] : Unknow certificate pushed to iOS devices

I have never heard or seen valicert.com in conjunction with either Meraki - or anything else.

 

Are you sure this is not being installed by some other application?

Building a reputation

Re: [Bug] : Unknow certificate pushed to iOS devices

Yes I am sure , it’s only on iOS device iPhone iPad 

Here to help

Re: [Bug] : Unknow certificate pushed to iOS devices

valicert.com.png

 

What ever Valicert.com is, it sure looks sketchy looking from Umbrella.

Kind of a big deal

Re: [Bug] : Unknow certificate pushed to iOS devices

This seems like a bug since valicert.com doesn't have a valid cert. It is a very old root CA that (I think) GoDaddy purchased at one point, but it's not used anymore. Perhaps @Melissa can check with the engineering team on this. 

MRCUR | CMNO #12
Kind of a big deal

Re: [Bug] : Unknow certificate pushed to iOS devices

I am curious to also know what Valicert is. A quick Google search shows it has something to do with GoDaddy as @MRCUR stated. According to some post, it was something in the 1990s that is now being phased out do to encryption standards. 

Find this helpful? Click the kudos button. Thanks!
Building a reputation

Re: [Bug] : Unknow certificate pushed to iOS devices

@Melissa or someone from Meraki please ?

 

Support unresponsive since 22 May .

 

We are out of means and would like answers !

Meraki Employee

Re: [Bug] : Unknow certificate pushed to iOS devices

Hi @aws_architect! I reached out to support on this and found out it is an open bug that is being investigated. It didn't appear to have any impact or cause any issues with deployments though - is that not the case in your deployment? Is it causing issues?

 

Please let us know!

Building a reputation

Re: [Bug] : Unknow certificate pushed to iOS devices

Hello Melissa,

 

Yes, a big security concern ! 

Having a unknown certificate from a weird  domain, pushed to my devices and no answer since May make me voiceless .

 


@Melissa wrote:

Hi @aws_architect! I reached out to support on this and found out it is an open bug that is being investigated. It didn't appear to have any impact or cause any issues with deployments though - is that not the case in your deployment? Is it causing issues?

 

Please let us know!


 

 

A model citizen

Re: [Bug] : Unknow certificate pushed to iOS devices

I have the Same Cert also ,, Very Odd 

Kind of a big deal

Re: [Bug] : Unknow certificate pushed to iOS devices

What's the name of the profile this is coming from? Is it the Meraki enrollment profile? 

MRCUR | CMNO #12
Building a reputation

Re: [Bug] : Unknow certificate pushed to iOS devices

8 days passed , no news neither from meraki  in the community, neither on support 

Building a reputation

Re: [Bug] : Unknow certificate pushed to iOS devices

3 week passed ...

 

Nobody seems to care about the security !

Kind of a big deal

Re: [Bug] : Unknow certificate pushed to iOS devices

@aws_architect you are not the only person that has seen this issue, it is a bug and I am sure if it was a security risk something would have been said. It most likely an old signing authority cert thats no longer being used.

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Building a reputation

Re: [Bug] : Unknow certificate pushed to iOS devices

Case 02676357 from May 22, 2018 03:19 

 

If it's an old certificate and that they have not been able to fix this since 22 May 2018 then we have a problem here :

It doesn't look like something that need heavy development ...

 

When this OLD cert is going to be removed ?

 

I am waiting to enroll our iOS devices and there is no way that I do with an UNKNOWN certificate from a weird domain push to my Corporate devices...

Kind of a big deal

Re: [Bug] : Unknow certificate pushed to iOS devices

Does it happen with all of your devices? What models are they, are you using the free or paid version of systems manager. 

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Building a reputation

Re: [Bug] : Unknow certificate pushed to iOS devices

Thank you @BlakeRichardson

 

-iPhone

-iPads

 

iOS to make it simple.

 

Paid version

 

We don't use the legacy MDM

Kind of a big deal

Re: [Bug] : Unknow certificate pushed to iOS devices

@aws_architect what models of iPad and iPhone exactly, are they recent models or older hardware?

 

Do you have any iOS devices that don't have this issue?

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Building a reputation

Re: [Bug] : Unknow certificate pushed to iOS devices

iPhone X

iPhone 7

iPad Pro and older generation 

 

All that I have tested have the same behavor

 

1 - Duplicated *.meraki.com

2 - This unknown certificate 

Building a reputation

Re: [Bug] : Unknow certificate pushed to iOS devices

Actually here on the doc screenshot as well :

 

https://documentation.meraki.com/SM/Profiles_and_Settings/Credentials_Payload_(Pushing_Certificates)

 

 

Also here :

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_Clients_for_802.1X_and...

 

But it's not pushed to MacOS any more , because I havent seen it 

Kind of a big deal

Re: [Bug] : Unknow certificate pushed to iOS devices

If its in their documentation I wouldn't be concerned. Ive just looked at one of my devices in closer detail and those certs are there. 

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Building a reputation

Re: [Bug] : Unknow certificate pushed to iOS devices

If you dont want to be concern by an OLD, 3rd party certificate, from a fishy domain, it is up tou you.

 

I am concern and I guess I am not the only one.

 

What is this 3rd party certificate ?

Why is *.meraki.com push twice ?

 

 

 

Kind of a big deal

Re: [Bug] : Unknow certificate pushed to iOS devices

The root certificate is documented in the link you provided.

 

No one else is concerned the deployed root certificates match the documentation.

 

I think you are the only person concerned.

Kind of a big deal

Re: [Bug] : Unknow certificate pushed to iOS devices

I dont see how its an old certificate when its not expired..... Meraki have obviously chosen GoDaddy and Valicert as their certificate providers. 

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI
Building a reputation

Re: [Bug] : Unknow certificate pushed to iOS devices

Then don’t come to cry the day that all you devices will be compromised , no kidding with security . 

 

I suggest if you are not concerned : to answer to other posts and don’t hijack my concern without being constructive.

 

We are in 2018 and this CA was phased out started 2011...

 

 

 

The "ValiCert Class 2 Policy Validation Authority" root from 1999, along with about a dozen other roots from ValiCert and other CAs, are being phased out because they're only 1024 bits. 1024-bit RSA is increasingly close to being breakable. (1), so the community has decided to get rid of them in an orderly manner by 2011. (2) to prevent a major security incident and panic in the coming years.

Mozilla's stated policy was to disable them some time after December 31, 2013, and they have been actively working with the CAs to do so.

In other words, yes, you have to replace it. What's the problem? I realize it's unpleasant. (3), but you have to renew it annually anyway, and this is less work. Maybe your CA will be willing to compensate you for the inconvenience you've suffered as a predictable consequence of their decision to use an obsolescent technology long after its sell by date.

 

1 I wouldn't be surprised if certain agencies could factor them -- slowly -- but I might be a little paranoid.
2 Wait, what's today's date again?
3 I remember Heartbleed.

 

source : https://security.stackexchange.com/questions/65508/what-is-the-deal-with-valicert-ssl-root-certifica...

Getting noticed

Re: [Bug] : Unknow certificate pushed to iOS devices

FYI, the certificate expires in about 26 hours....

New here

Re: [Bug] : Unknow certificate pushed to iOS devices

19 hours and it is surprising that nobody from Meraki has addressed this issue.  I share the OP's concern for security.  I find it very odd that this forum isn't populated by more folks that feel that way.  A simple "chime in" from support would've been nice.  I guess they just want the calls.

Meraki Employee

Re: [Bug] : Unknow certificate pushed to iOS devices

Hello,

I checked internally with our support team and were advised that this issue should be resolved. Newly enrolled devices should have their management profile updated should not have the cert in question.

If you are still seeing this behavior or have any additional concerns, I would recommend reaching out to our support team via the usual channel (submit a support case or call into the support hotline). They are lovely people and would be happy to help answer any questions or additional concerns.

Cheers!
-Alex

If this was helpful, click the Kudos button below.
Please mark it as a solution if solved your issue so others can benefit from it Smiley Happy
Building a reputation

Re: [Bug] : Unknow certificate pushed to iOS devices

Very happy to see that 1 year and 2 months security issue has been solved few hours before the certificate expiration !

Thank you all
New here

Re: [Bug] : Unknow certificate pushed to iOS devices

Hi Alex,

 

We have multiple devices with this cert still attached to it.

 

The only way I have been able to get rid of it is to remove and re-add the Meraki profile. With all our devices in the field, this isn't an easy task and one that isn't going to happen unless an iPad has an issue.

 

Interestingly, since the cert has expired, some iPads that went offline before the cert expiry, are losing their enrolment and any subsequent control when they are powered on again. The Meraki profile can no longer be removed and the only option is to erase using Configurator back at head office (with the broken profile on the iPad, erase all content and settings is disabled.)

 

I am not sure that the cert expiry is causing this, it is just that this issue wasn't encountered before the cert expired.

 

I raised a ticket about the cert and the response from support was that the cert should have disappeared as it is expired and Apple won't allow it on the iPad.

 

Any thoughts?

Meraki Employee

Re: [Bug] : Unknow certificate pushed to iOS devices

@Goodline

 

Upon checking with support, I've learned that the expired cert should not cause functionality impact to previously enrolled devices. It sounds like it might be a coincidence and something else is preventing the iPads from being able to check-in with dashboard.

 

I would suggest continue to work with support if you have more of these broken instances, and providing them with device logs so that they can help you investigate further.

 

Cheers,

-Alex

If this was helpful, click the Kudos button below.
Please mark it as a solution if solved your issue so others can benefit from it Smiley Happy
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels