SCEP Cert Deployment for Android

6str1ngt3ch
Conversationalist

SCEP Cert Deployment for Android

Trying to deploy SCEP certs for an Android device and keep getting a notification on the device itself which says "Please ensure that a password is set to enable certificate installation".  I'm having trouble figuring out exactly where this password needs to be applied.  The device has a policy to apply a passcode so don't think that is it.  The config for the SCEP Cert itself doesn't ask for a password and there's no Meraki documentation that refers to this that I have been able to find.  Hoping someone here has come across this issue before and can help.  Thanks in advance!

7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal

Maybe this?

 

 

https://documentation.meraki.com/SM/Profiles_and_Settings/Certificates_Payload_(Pushing_Certificates)

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
6str1ngt3ch
Conversationalist

I saw this but this doesn't seem to be related to other types of certs.  I'm referring to this basically https://documentation.meraki.com/General_Administration/Organizations_and_Networks/Organization_Menu...

 

I've signed the cert using my CA and then tried to issue certs from that using a config profile

alemabrahao
Kind of a big deal
Kind of a big deal

You need to generate a key:

 

alemabrahao_0-1666703099575.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
6str1ngt3ch
Conversationalist

yeah I followed that to the letter.  I extracted the private key from my root CA (I'm using Microsoft CA) in order to sign this with openssl.

6str1ngt3ch_0-1666707999494.png

Then I go to create a SCEP cert config and that's where things get stuck

6str1ngt3ch_1-1666707365692.png

I feel there's something in between that I'm missing but not sure

PaulF
Meraki Employee
Meraki Employee

First step is to ensure that there's a PIN on the device. Having just the policy isn't good enough. The PIN needs to be there. No PIN, no certs

 

Secondly, you don't need to do any of the steps below. Just a SCEP policy, as below:

 

Screenshot 2022-10-27 at 1.58.31 PM.png

 

And just make sure you've followed the steps here:

 

Signing the Meraki MDM CA with your own - YouTubehttps://www.youtube.com › watch

6str1ngt3ch
Conversationalist

Hi @PaulF I do have a passcode policy set as well

6str1ngt3ch_0-1666876504866.png

and it indeed did enforce the creation of a passcode on the device. 

 

MR45EOL
Here to help

Having the exact same issue. Did you ever find a solution? It seems like the SCEP cert should be deployed to the work profile and it seems like it doesnt think there is a passcode in the profile that it wants to install the cert in.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels