Troubleshooting for SCEP

Overview

This section helps you troubleshoot the common problems that you might encounter when using SCEP functionalities like setting addition, enrolment, and obtaining.

Supported Web Browsers

Browser Version Notes
Firefox Till latest (Version 84.0.4147.135) NA
Chrome Till latest (Version 80.0) NA
IE Limited support in 9, Full support from 10+ No support for IE9 post-AppViewX Version 11.0
Safari Till latest (Windows - Version 5.1.7,

macOS - Version 13.1.2)

 From AppViewX Version 11.1
Opera Till latest (Version 70) From AppViewX Version 11.1

Supported Devices

Device OS Resolution
Desktop Windows 1024 X 768 onwards, 1366x768, 1920x1080, Higher
Desktop Linux 1024 X 768 onwards, 1366x768, 1920x1080, Higher
Desktop Mac 1024 X 768 onwards, 1366x768, 1920x1080, Higher
iPad iOS 1024 X 768

Supported SCEP Client

  • SSCEP client

  • Cisco Routers

  • Mobileiron Cloud portal

Issues in SCEP setting addition and check the settings

Issues in the SCEP Settings

  1. Log in to AppViewX application with valid credentials.
  2. From the left pane, expand the menu and click CERT+.
    The Server Certificate page is displayed.
  3. From the left pane, expand Administration, select Auto Enrollment.
  4. Click SCEP.
    The Auto Enrollment SCEP page is displayed.
  5. Click Add.
  6. After settings are added, click Check to see the validity.

Error Messages

Error Message Possible Cause Possible Solution
Agent name already added. Please enter a different name.. A SCEP setting with the same name already exists on SCEP Page. Check the SCEP Setting name, it should be unique.
  1. This field should not be null or empty.
  2. Mandatory Field(s) - <Field name> is/are empty.
 Some of the mandatory fields are missing or invalid. Add all the valid information in the mandatory section.
SCEP setting is invalid - Agent ip is not reachable The SCEP agent IP and port provided might not be accessible from the AppViewX node. Please check the IP port provided so that it can be pingable from the AppViewX node.
SCEP setting is invalid - Certificate does not belong to the selected CA. The server certificate provided does not belong to the CA which is selected. Please check whether the selected server certificate belongs to the CA which was selected earlier.

Issues in Auto Enrolling certificate via SCEP

Note: From the client machine hit the auto-enroll call using AppvViewX SCEP server URL which is displayed on the SCEP setting page.
Error Message Possible Cause Possible Solution
No agent settings found for the provided agent ip address

(OR)

Agent settings is not found

 The provided agent IP or agent name is not found in the SCEP settings. Check for the agent IP and agent name in the client machine.
Unable to establish connection with SCEP server. There might be an issue with reaching the AppViewX SCEP agent IP from the client. Check whether the SCEP agent IP is reachable from the client machine.

Check whether the SCEP agent IP is open and can be accessible.
Group policy does not have the given hash function The requested hash function in the CSR parameters may not be available in the selected policy.
  1. Navigate to the policy page.
  2. Select the CA used in the SCEP setting.
  3. In the hash function field include the requested and missing hash functions.
  4. Save the CA details and update the policy.
Unable to submit the CSR request to certificate authority Failure due to specific CA functionality. Check the reason for submission failure in logs and failed Work order.
Unable to submit the CSR request to certificate authority - For MSCA There might be an error in the work order log - “Denied due to policy module”. Check for the bit length in the CSR parameters, if it's lesser than or equal to 1024 then increase it in the CSR.
CSR parameters already exists There might be another CSR already present in the inventory for which certificates would not have been issued.
  1. Delete the previous CSR present in inventory and try enrolling again.
  2. Connect database and update the entry as mentioned below:

    "db.cert_metadata.update({"_id" : "DO_CSR_PARAMS_UNIQUENESS_CHECK"},{$set:{"constant":"no"}})"

Note: This would allow multiple CSR’s with the same parameters in the certificate inventory.

Issues in Obtaining CA certificate via SCEP