Encryption

PedroDaCosta
Comes here often

Encryption

What does this mean? The encryption certificate referenced by the FileVault Recovery Key Escrow payload is invalid or does not support encryption.

4 Replies 4
BlakeRichardson
Kind of a big deal
Kind of a big deal

It sounds like System manager isn't able to access the Fault vault recovery key because the payload is corrupted or something has gone wrong when the device uploaded the payload to systems manager. 

 

Is the MDM certificate on the device still valid or has it expired? 

PaulF
Meraki Employee
Meraki Employee

@PedroDaCosta Can you take us through the flow you use to create the certificate, and which type of FileVault profile you are using?

I'm following: https://documentation.meraki.com/SM/Other_Topics/Creating_a_Public%2F%2FPrivate_Certificate_Pair and https://documentation.meraki.com/SM/Profiles_and_Settings/Using_File_Vault_2 It is not providing a .pem certificate. I am trying to create a :

macOS FileVault Recovery Key Escrow profile

Creating a macOS FileVault Recovery Key Escrow profile involves generating a public/private key pair and then using the public key to encrypt the FileVault recovery key.

 

 

You can use a tool like OpenSSL to generate a public/private key pair. The private key should be kept secure, as it will be used to decrypt the FileVault recovery key.

 

In the Meraki dashboard, create a new profile and select the ‘FileVault Recovery Key Escrow’ payload. In the ‘EncryptCertPayloadUUID’ field, enter the UUID of the payload that contains the public key. This will be used to encrypt the recovery key.

 

Once the profile is created, you can apply it to your devices. The devices will then escrow their FileVault recovery keys, encrypted with the public key, to the Meraki dashboard.

 

Please note that the certificate file used for the ‘EncryptCertPayloadUUID’ field should be in PEM format. If you’re having trouble generating a PEM certificate, you might want to check the commands you’re using with OpenSSL.

 

The typical command to generate a PEM encoded certificate is something like this:

 

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt

 

This command generates a new RSA key (server.key) and a self-signed certificate (server.crt). Both are in PEM format.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels