Yes I am sure , it’s only on iOS device iPhone iPad 

@Melissa or someone from Meraki please ?

Support unresponsive since 22 May .

We are out of means and would like answers !

Hi @aws_architect! I reached out to support on this and found out it is an open bug that is being investigated. It didn't appear to have any impact or cause any issues with deployments though - is that not the case in your deployment? Is it causing issues?

Please let us know!

Hello Melissa,

Yes, a big security concern ! 

Having a unknown certificate from a weird  domain, pushed to my devices and no answer since May make me voiceless .

---

@Melissa wrote:

Hi @aws_architect! I reached out to support on this and found out it is an open bug that is being investigated. It didn't appear to have any impact or cause any issues with deployments though - is that not the case in your deployment? Is it causing issues?

 

Please let us know!

---

I have the Same Cert also ,, Very Odd 

8 days passed , no news neither from meraki  in the community, neither on support 

3 week passed ...

Nobody seems to care about the security !

@aws_architect you are not the only person that has seen this issue, it is a bug and I am sure if it was a security risk something would have been said. It most likely an old signing authority cert thats no longer being used.

Case 02676357 from May 22, 2018 03:19 

If it's an old certificate and that they have not been able to fix this since 22 May 2018 then we have a problem here :

It doesn't look like something that need heavy development ...

When this OLD cert is going to be removed ?

I am waiting to enroll our iOS devices and there is no way that I do with an UNKNOWN certificate from a weird domain push to my Corporate devices...

Does it happen with all of your devices? What models are they, are you using the free or paid version of systems manager. 

Thank you @BlakeRichardson

-iPhone

-iPads

iOS to make it simple.

Paid version

We don't use the legacy MDM

@aws_architect what models of iPad and iPhone exactly, are they recent models or older hardware?

Do you have any iOS devices that don't have this issue?

iPhone X

iPhone 7

iPad Pro and older generation 

All that I have tested have the same behavor

1 - Duplicated *.meraki.com

2 - This unknown certificate 

Actually here on the doc screenshot as well :

https://documentation.meraki.com/SM/Profiles_and_Settings/Credentials_Payload_(Pushing_Certificates)

Also here :

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_Clients_for_802.1X_and...

But it's not pushed to MacOS any more , because I havent seen it 

If its in their documentation I wouldn't be concerned. Ive just looked at one of my devices in closer detail and those certs are there. 

If you dont want to be concern by an OLD, 3rd party certificate, from a fishy domain, it is up tou you.

I am concern and I guess I am not the only one.

What is this 3rd party certificate ?

Why is *.meraki.com push twice ?

The root certificate is documented in the link you provided.

No one else is concerned the deployed root certificates match the documentation.

I think you are the only person concerned.

I dont see how its an old certificate when its not expired..... Meraki have obviously chosen GoDaddy and Valicert as their certificate providers. 

Then don’t come to cry the day that all you devices will be compromised , no kidding with security . 

I suggest if you are not concerned : to answer to other posts and don’t hijack my concern without being constructive.

We are in 2018 and this CA was phased out started 2011...

The "ValiCert Class 2 Policy Validation Authority" root from 1999, along with about a dozen other roots from ValiCert and other CAs, are being phased out because they're only 1024 bits. 1024-bit RSA is increasingly close to being breakable. (1), so the community has decided to get rid of them in an orderly manner by 2011. (2) to prevent a major security incident and panic in the coming years.

Mozilla's stated policy was to disable them some time after December 31, 2013, and they have been actively working with the CAs to do so.

In other words, yes, you have to replace it. What's the problem? I realize it's unpleasant. (3), but you have to renew it annually anyway, and this is less work. Maybe your CA will be willing to compensate you for the inconvenience you've suffered as a predictable consequence of their decision to use an obsolescent technology long after its sell by date.

1 I wouldn't be surprised if certain agencies could factor them -- slowly -- but I might be a little paranoid.
2 Wait, what's today's date again?
3 I remember Heartbleed.

source : https://security.stackexchange.com/questions/65508/what-is-the-deal-with-valicert-ssl-root-certifica...

FYI, the certificate expires in about 26 hours....

19 hours and it is surprising that nobody from Meraki has addressed this issue.  I share the OP's concern for security.  I find it very odd that this forum isn't populated by more folks that feel that way.  A simple "chime in" from support would've been nice.  I guess they just want the calls.

Hi Alex,

We have multiple devices with this cert still attached to it.

The only way I have been able to get rid of it is to remove and re-add the Meraki profile. With all our devices in the field, this isn't an easy task and one that isn't going to happen unless an iPad has an issue.

Interestingly, since the cert has expired, some iPads that went offline before the cert expiry, are losing their enrolment and any subsequent control when they are powered on again. The Meraki profile can no longer be removed and the only option is to erase using Configurator back at head office (with the broken profile on the iPad, erase all content and settings is disabled.)

I am not sure that the cert expiry is causing this, it is just that this issue wasn't encountered before the cert expired.

I raised a ticket about the cert and the response from support was that the cert should have disappeared as it is expired and Apple won't allow it on the iPad.

Any thoughts?

@Goodline

Upon checking with support, I've learned that the expired cert should not cause functionality impact to previously enrolled devices. It sounds like it might be a coincidence and something else is preventing the iPads from being able to check-in with dashboard.

I would suggest continue to work with support if you have more of these broken instances, and providing them with device logs so that they can help you investigate further.

Cheers,

-Alex

Did you ever get this issue resolved? I think I'm still having the same problem with iPads due to these Certificates expiring. Everything still works except I can no longer push apps out to them through Meraki unless I remove the profile and re-enroll them.

@davidson2020 I think the thread you are looking for might be https://community.meraki.com/t5/Endpoint-Management-Systems/Anyone-else-seeing-Unverified-Certificat... 

Maybe that shouldn't effect is at play.