Registration authority's response is invalid

Article:TECH197824  |  Created: 2012-10-03  |  Updated: 2013-09-12  |  Article URL http://www.symantec.com/docs/TECH197824
Article Type
Technical Solution

Product(s)

Issue



The customer is receiving an error message on their iOS device informing them that the "Registration Authority's Response is Invalid." This stops the installation of a profile and enrolling new devices.


Error



The error "Registration Authority's Response is Invalid" is displayed on the iOS device.


Environment



Symantec Mobile Management 7.1 and higher
Windows Server 2008 R2


Cause



A Microsoft security update changed the minimum bit length an SSL certificate can be, making any certificate under 1024 bits invalid.


Solution



A. The following steps will need to be followed in order to update the SCEP identity certificate bit length to be compliant with the latest security updates.

  1. Replace the SCEP identity certificate using a bit length hash below 1024 for encryption with either a 1024 or 2048 bit length hash for encryption.
  2. Update the settings in the Symantec Management Console to reflect this SCEP certificate change.
  3. Reset the 3 Symantec Mobile Management Services in services.msc on the Mobile Management Server.

 

B. If the SCEP server receives 500 errors upon applying the new identity certificate then you will need to perform the following actions.

  1. Reset the CA.
  2. Reset the SCEP Server.

 

C. If all of these options still continue having errors, consider uninstalling the Microsoft NDES role from the SCEP server, and reinstalling it with valid certificate settings.




Article URL http://www.symantec.com/docs/TECH197824


Terms of use for this information are found in Legal Notices