Home
CERT+
Automate certificate lifecycle management including issuance, discovery, renewal, and deployment, across public and private trust CAs. Assess, prioritize, and plan your migration to quantum-safe encryption with the Quantum Trust Hub add-on module.
CERT+ Troubleshooting Guide
Troubleshooting Auto-Enrolment Protocols
Troubleshooting for MsIntune SCEP

CERT+
Automate certificate lifecycle management including issuance, discovery, renewal, and deployment, across public and private trust CAs. Assess, prioritize, and plan your migration to quantum-safe encryption with the Quantum Trust Hub add-on module.
PKI+
Provision, govern and scale private trust certificates with a Post Quantum ready cloud based Enterprise PKI-as-a-Service.
SIGN+
Secure software, firmware, and containers with a comprehensive enterprise code signing solution.
SSH+
Control SSH access and key rotation at scale with an SSH key lifecycle management solution.
KUBE+
Unify DevOps and Security teams by managing certificates with a Kubernetes-native certificate lifecycle management solution.
DDI+
Manage domain registration, renewal, decommissioning, and other security controls with an end-to-end domain lifecycle management solution.
ADC+
Automate and orchestrate application delivery infrastructure at scale with an ADC lifecycle automation platform.
Platform
Manage policy and automation across all of the products and modules in the AVX ONE platform.
AppViewX Setup
Get detailed instructions for setting up AVX ONE in on-premises or SaaS deployments.
Release Artifacts
Review new features, fixes, and security advisories with official AppViewX release documentation.

Troubleshooting for MsIntune SCEP

Overview

This section helps you troubleshoot the common problems that you might encounter when using MSIntune SCEP functionalities like setting addition and certificate enrollment.

Issues in MSIntune SCEP setting addition and validating the settings

Issues in the MSIntune SCEP Settings

Log in to AppViewX application with valid credentials.
From the left pane, expand the menu and click CERT+.
The Server Certificate page is displayed.
From the left pane, expand Administration, select Auto Enrollment.
Click MsIntune.
The Auto Enrollment MsIntune page is displayed.
Click Add.
After settings are added, click Check to see the validity.

Error Messages


Error Message	Possible Cause	Possible Solution
Agent ip is not reachable	The MS Intune SCEP agent IP and specified port may not be reachable from the AppViewX node.	Validate and ensure that the agent IP/Port is reachable.
Certificate does not belong to the selected CA.	The server certificate provided in the agent setting does not belong to the CA which is selected.	Please check whether the selected server certificate belongs to the CA which was selected earlier.
CA setting connection is in Failed status	The connection status of the chosen CA setting chosen in the agent setting failed.	Check the specified CA setting and make necessary changes to make it valid.

Issues in auto enrolling certificate via MS Intune SCEP

Note:

From the client machine, enroll for the certificate using Company Portal application.
Newly enrolled certificate should be available in the AppViewX CERT+ Inventory. If the new certificate is not available in the AppViewX CERT+ Inventory, even after 5 minutes from triggering the request from the device, then logon to the CLI and verify the logs for avx_vendor_cert_intune_agent plugin.

Following errors may appear in the logs:


Error Message	Possible Cause	Possible Solution
Unable to submit the CSR request to certificate authority	Request might have failed due to a specific error from CA	Verify the vendor logs to see if there is any CA specific error.
CSR parameters already exists	There might be another CSR already present in the inventory for which certificates would not have been issued.	Delete the previous CSR present in inventory and try enrolling. Connect database and update the entry given below: "`db.cert_metadata.update({"_id" : "DO_CSR_PARAMS_UNIQUENESS_CHECK"},{$set:{"constant":"no"}})`" Note: This would allow multiple CSR’s with the same parameters in the certificate inventory.
Challenge in PKCS#10 request (Transaction ID: <<transactionID>>) is not valid. Certificate enrollment will not be processed.	Challenge password validation with Microsoft Intune has failed. Possible reasons - Connectivity issue with Microsoft Intune. Intune credentials configured in agent settings might be incorrect.	Validate the internet access in the AppViewX server. Check and correct the Intune Client Id/Tenant Id/Client Secret configured in the MS Intune agent setting.
No error message but enrollment request does not get triggered after the getCACert call from the client device.	A mismatch between the CA certificate configured in the MS Intune Agent setting and that configured in the Intune portal.	Verify and ensure that the root and intermediate CA certificates of the Server certificate available in the AppViewX MS Intune agent setting match with the Root and Intermediate certificates configured in the MS Intune portal (Azure) SCEP profile.

AppViewX