FAQs
How to renew a SCEP RA certificate (private CA – device certificate)
Prerequisites:
-SCEP endpoint already configured.
-SCEP RA certificate already added but has expired.
Errors that might appear because the RA certificate has expired:
This:
SCEP: Failed LogError Message : (SCEPInstallCertificateWithScepHelper: Failed to Initialize SCEP enrollment with NDES Server 'https://cert-manager.com/customer/steadfast/iscep/6KjjyOkGZu06FsGI6MIR/pkiclient.exe', CA cert thumbprint 'ED09B73FE93CEC9563E7542B9295851861214359' and server)
SCEP: Certificate enroll failed. Result: (A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.).
This (windows event viewer):
This (windows event viewer)
Examples used below are for demonstration only, the customer’s configuration might differ:
-
Request a new Device Certificate from the “Device Certificates” tab, using the same Certificate Profile that has been configured for SCEP:
-
Request a new CSR, can use the same details as the previous SCEP RA certificate:
-
Afterwards, the device certificate will be issued in SCM.
-
Under Enrollment-> SCEP-> SCEP RA Certificates-> Check if you can edit your SCEP RA certificate.
-
Else, You can provide this device certificate with chain and private key to us:
Note: use a secure method of transport for the private key, like Microsoft Office secure message email:
-
Once we get that, we will replace your SCEP RA certificate with the key in the backend.
-
Then you can retry the Intune sync and request new certificates.
For further assistance or troubleshooting, you can refer to Sectigo’s official Knowledge Base or contact support.
Need assistance?
Contact our team for help with your purchase or issuing your certificate.
Live chat
Click the button below or click "Chat with an Expert" to start chatting with us now!
