[Bug] : Unknow certificate pushed to iOS devices

Solved
aws_architect
Building a reputation

[Bug] : Unknow certificate pushed to iOS devices

This case is open since 22 May to support without any answer : Case 02676357

 

Hello,

 

- On iOS  *.meraki.com is push 2 times 
- http://www.valicert.com , what is this certificate ? what kind of affiliation with Meraki ?

 

unnamed (1).jpg

 

 

1 Accepted Solution
AlexC
Meraki Employee
Meraki Employee

Hello,

I checked internally with our support team and were advised that this issue should be resolved. Newly enrolled devices should have their management profile updated should not have the cert in question.

If you are still seeing this behavior or have any additional concerns, I would recommend reaching out to our support team via the usual channel (submit a support case or call into the support hotline). They are lovely people and would be happy to help answer any questions or additional concerns.

Cheers!
-Alex

If this was helpful, click the Kudos button below.
Please mark it as a solution if solved your issue so others can benefit from it 🙂

View solution in original post

32 Replies 32
PhilipDAth
Kind of a big deal
Kind of a big deal

I have never heard or seen valicert.com in conjunction with either Meraki - or anything else.

 

Are you sure this is not being installed by some other application?

aws_architect
Building a reputation

Yes I am sure , it’s only on iOS device iPhone iPad 

Simo-s_h
Here to help

valicert.com.png

 

What ever Valicert.com is, it sure looks sketchy looking from Umbrella.

MRCUR
Kind of a big deal

This seems like a bug since valicert.com doesn't have a valid cert. It is a very old root CA that (I think) GoDaddy purchased at one point, but it's not used anymore. Perhaps @Melissa can check with the engineering team on this. 

MRCUR | CMNO #12
jared_f
Kind of a big deal

I am curious to also know what Valicert is. A quick Google search shows it has something to do with GoDaddy as @MRCUR stated. According to some post, it was something in the 1990s that is now being phased out do to encryption standards. 

Find this helpful? Click the kudos button. Thanks!
aws_architect
Building a reputation

@Melissa or someone from Meraki please ?

 

Support unresponsive since 22 May .

 

We are out of means and would like answers !

Melissa
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Hi @aws_architect! I reached out to support on this and found out it is an open bug that is being investigated. It didn't appear to have any impact or cause any issues with deployments though - is that not the case in your deployment? Is it causing issues?

 

Please let us know!

aws_architect
Building a reputation

Hello Melissa,

 

Yes, a big security concern ! 

Having a unknown certificate from a weird  domain, pushed to my devices and no answer since May make me voiceless .

 


@Melissa wrote:

Hi @aws_architect! I reached out to support on this and found out it is an open bug that is being investigated. It didn't appear to have any impact or cause any issues with deployments though - is that not the case in your deployment? Is it causing issues?

 

Please let us know!


 

 

MikeMandalorian
A model citizen

I have the Same Cert also ,, Very Odd 

aws_architect
Building a reputation

8 days passed , no news neither from meraki  in the community, neither on support 

aws_architect
Building a reputation

3 week passed ...

 

Nobody seems to care about the security !

BlakeRichardson
Kind of a big deal
Kind of a big deal

@aws_architect you are not the only person that has seen this issue, it is a bug and I am sure if it was a security risk something would have been said. It most likely an old signing authority cert thats no longer being used.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
aws_architect
Building a reputation

Case 02676357 from May 22, 2018 03:19 

 

If it's an old certificate and that they have not been able to fix this since 22 May 2018 then we have a problem here :

It doesn't look like something that need heavy development ...

 

When this OLD cert is going to be removed ?

 

I am waiting to enroll our iOS devices and there is no way that I do with an UNKNOWN certificate from a weird domain push to my Corporate devices...

BlakeRichardson
Kind of a big deal
Kind of a big deal

Does it happen with all of your devices? What models are they, are you using the free or paid version of systems manager. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
aws_architect
Building a reputation

Thank you @BlakeRichardson

 

-iPhone

-iPads

 

iOS to make it simple.

 

Paid version

 

We don't use the legacy MDM

BlakeRichardson
Kind of a big deal
Kind of a big deal

@aws_architect what models of iPad and iPhone exactly, are they recent models or older hardware?

 

Do you have any iOS devices that don't have this issue?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
aws_architect
Building a reputation

iPhone X

iPhone 7

iPad Pro and older generation 

 

All that I have tested have the same behavor

 

1 - Duplicated *.meraki.com

2 - This unknown certificate 

aws_architect
Building a reputation

Actually here on the doc screenshot as well :

 

https://documentation.meraki.com/SM/Profiles_and_Settings/Credentials_Payload_(Pushing_Certificates)

 

 

Also here :

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_Clients_for_802.1X_and...

 

But it's not pushed to MacOS any more , because I havent seen it 

BlakeRichardson
Kind of a big deal
Kind of a big deal

If its in their documentation I wouldn't be concerned. Ive just looked at one of my devices in closer detail and those certs are there. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
aws_architect
Building a reputation

If you dont want to be concern by an OLD, 3rd party certificate, from a fishy domain, it is up tou you.

 

I am concern and I guess I am not the only one.

 

What is this 3rd party certificate ?

Why is *.meraki.com push twice ?

 

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

The root certificate is documented in the link you provided.

 

No one else is concerned the deployed root certificates match the documentation.

 

I think you are the only person concerned.

BlakeRichardson
Kind of a big deal
Kind of a big deal

I dont see how its an old certificate when its not expired..... Meraki have obviously chosen GoDaddy and Valicert as their certificate providers. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
aws_architect
Building a reputation

Then don’t come to cry the day that all you devices will be compromised , no kidding with security . 

 

I suggest if you are not concerned : to answer to other posts and don’t hijack my concern without being constructive.

 

We are in 2018 and this CA was phased out started 2011...

 

 

 

The "ValiCert Class 2 Policy Validation Authority" root from 1999, along with about a dozen other roots from ValiCert and other CAs, are being phased out because they're only 1024 bits. 1024-bit RSA is increasingly close to being breakable. (1), so the community has decided to get rid of them in an orderly manner by 2011. (2) to prevent a major security incident and panic in the coming years.

Mozilla's stated policy was to disable them some time after December 31, 2013, and they have been actively working with the CAs to do so.

In other words, yes, you have to replace it. What's the problem? I realize it's unpleasant. (3), but you have to renew it annually anyway, and this is less work. Maybe your CA will be willing to compensate you for the inconvenience you've suffered as a predictable consequence of their decision to use an obsolescent technology long after its sell by date.

 

1 I wouldn't be surprised if certain agencies could factor them -- slowly -- but I might be a little paranoid.
2 Wait, what's today's date again?
3 I remember Heartbleed.

 

source : https://security.stackexchange.com/questions/65508/what-is-the-deal-with-valicert-ssl-root-certifica...

Zilla
Getting noticed

FYI, the certificate expires in about 26 hours....

SPeacock
Conversationalist

19 hours and it is surprising that nobody from Meraki has addressed this issue.  I share the OP's concern for security.  I find it very odd that this forum isn't populated by more folks that feel that way.  A simple "chime in" from support would've been nice.  I guess they just want the calls.

AlexC
Meraki Employee
Meraki Employee

Hello,

I checked internally with our support team and were advised that this issue should be resolved. Newly enrolled devices should have their management profile updated should not have the cert in question.

If you are still seeing this behavior or have any additional concerns, I would recommend reaching out to our support team via the usual channel (submit a support case or call into the support hotline). They are lovely people and would be happy to help answer any questions or additional concerns.

Cheers!
-Alex

If this was helpful, click the Kudos button below.
Please mark it as a solution if solved your issue so others can benefit from it 🙂
aws_architect
Building a reputation

Very happy to see that 1 year and 2 months security issue has been solved few hours before the certificate expiration !

Thank you all
Goodline
Just browsing

Hi Alex,

 

We have multiple devices with this cert still attached to it.

 

The only way I have been able to get rid of it is to remove and re-add the Meraki profile. With all our devices in the field, this isn't an easy task and one that isn't going to happen unless an iPad has an issue.

 

Interestingly, since the cert has expired, some iPads that went offline before the cert expiry, are losing their enrolment and any subsequent control when they are powered on again. The Meraki profile can no longer be removed and the only option is to erase using Configurator back at head office (with the broken profile on the iPad, erase all content and settings is disabled.)

 

I am not sure that the cert expiry is causing this, it is just that this issue wasn't encountered before the cert expired.

 

I raised a ticket about the cert and the response from support was that the cert should have disappeared as it is expired and Apple won't allow it on the iPad.

 

Any thoughts?

AlexC
Meraki Employee
Meraki Employee

@Goodline

 

Upon checking with support, I've learned that the expired cert should not cause functionality impact to previously enrolled devices. It sounds like it might be a coincidence and something else is preventing the iPads from being able to check-in with dashboard.

 

I would suggest continue to work with support if you have more of these broken instances, and providing them with device logs so that they can help you investigate further.

 

Cheers,

-Alex

If this was helpful, click the Kudos button below.
Please mark it as a solution if solved your issue so others can benefit from it 🙂
MRCUR
Kind of a big deal

What's the name of the profile this is coming from? Is it the Meraki enrollment profile? 

MRCUR | CMNO #12
davidson2020
Here to help

Did you ever get this issue resolved? I think I'm still having the same problem with iPads due to these Certificates expiring. Everything still works except I can no longer push apps out to them through Meraki unless I remove the profile and re-enroll them.

jm_peterson
Getting noticed

@davidson2020 I think the thread you are looking for might be https://community.meraki.com/t5/Endpoint-Management-Systems/Anyone-else-seeing-Unverified-Certificat... 

Maybe that shouldn't effect is at play. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels