Tevfik,

Many admin users for Afaria only know as much about Microsoft's PKI/CA as is absolutely necessary to run Afaria (which is very little relative to all there is to know).  So it's no problem that you aren't more familiar with it. 

From the Certificate Authority page in Afaria, check the server address of your CA.  Go to that machine via RDP and open Start > Administrative Tools > Certification Authority.  Click the "+" next to your CA's name to expand the folder tree.  Highlight the "Issued Certificates" folder.  Click the "Request ID" column header on the right side of the window twice to sort descending.  Double-click on the top (most recent) certificate.

In the certificate interface, click the "Details" tab and scroll down to the "CRL Distribution Points" entry.  Highlight the entry and copy the CDPs.  Each one starts with "URL=".  Don't copy that part, just the actual URL.  Then navigate to the "Certification Path" tab in the same certificate interface.  If there are more than two entries there, you'll need to get the CDPs from each of the intermediate CAs in the chain.

To get those, you can highlight the intermediate CA in the cert path and click the "View Certificate" button to see the certificate window for that CA's certificate.  Then it would be the same process of going to the Details tab and copying the CRL Distribution Points.

From the machine running the Afaria Enrollment Server, open an elevated command prompt.  (Right-click > Run as Administrator)  Then, for each URL you copied, run the command "certutil -URL <URLYouCopied>".  This will bring up the "URL Retrieval Tool" window with your pasted URL at the bottom in the "Url to Download" field.  Verify the selection for the "Retrieve" field in the lower right corner is set to "CRLs (from CDP)" and click "Retrieve"  If the "Status" columns returns "OK" for all CRLs then you should be fine.

For each certificate, the function needs to have access to retrieve the CRL from at least one good location.  For this purpose, "file" CDPs are not valid.  It needs to be either LDAP or HTTP, depending on how your PKI is configured and what your AD/LDAP environment supports.  If either the identity certificate or one (or more) of the intermediate CA's certificate CDPs cannot be reached, you'll need to add a new CDP that can be reached.

Note that if you have to add a CDP to an intermediate CA you have to add the CDP on the root CA and then renew the subordinate CA's certificate to get the CDP included.  If that's required, you'll also need to renew the Network Device Enrollment Service's Registration Authority ("RA") certs to preserve the chain for the device.

Note: I use "intermediate CA" and "subordinate CA" interchangeably in this case

Thanks,

Keith Nunn
SAP Active Global Support
SAP Canada

Hi Ketih,

Yesterday I check your  directives and see That Subordinate CA's CDP are expired. Bec.  Root Ca is keep shutdown. TOday I switch it on and move  crl files. Now all CDP look ok

There is some screenshot as time line

1. Here is an ordinary certificate and its CDP's

Here is Subordinate CA's CDP

Here is links

Now, I can retrieve Certificate's CDPs by LDAP

Now, I can retrieve Certificate's CDPs by HTTP

Here is Subordinate CA's CDP by HTTP

As u said, file method is failed.

I think now I can enroll and load profile ..

Lets try.

DONE.

Profile installed.

Thnx Ketih

Hi, Tevfik.

Very glad to hear you were able to get past the challenges.

Thanks,

Keith

Tevfik,

It looks from your screenshot like you have a CA named "YasarCA" which is running v2.0 of it's root cert and a CA named "YasarCA1" which is running v3.0 of its cert.  If the device identity certificates are being issued by YasarCA1 and it's a subordinate CA to YasarCA then not only will the CDPs need to be included in the issued identity certs but they'll need to exist in YasarCA1's cert (which would have been issued by YasarCA, if that's the case) as well. 

The root CA in a trust chain isn't checked using the revocation check call since the server should already trust it if it's in the Trusted Root store for the computer account.  The function just wants to check and make sure the subordinate or leaf certificate haven't been revoked.

Thanks,

Keith Nunn
SAP Active Global Support
SAP Canada

Tevfik,

If the test is failing as well then I would start there.  Based on your screenshot, ensure both https://10.1.1.56/CertSrv/mscep/mscep.dll and https://10.1.1.56/CertSrv/mscep_admin/ open to valid Network Device Enrollment Service pages from the Afaria Server.  If not, then you will need to investigate your installation of the NDES role service.  If both pages load but the test still fails then check the IIS log on the CA to determine what return code is being presented to the GetCACert operation call.

Thanks,

Keith Nunn
SAP Active Global Support
SAP Canada

I can reach those pages WITH HTTP.

NOT HTTPS:

Tevfik,

In your screenshot you have the "Enable" button checked for HTTPS.  Be sure to de-select that checkbox if HTTPS is not enabled/supported on your CA.

Thanks,

Keith Nunn
SAP Active Global Support
SAP Canada

Great.

Now Cert Aut config passes.

But IPH6034 and IPH3017 errors occurs.

Tevfik,

Have a look at these:

http://service.sap.com/sap/support/notes/2072565

http://service.sap.com/sap/support/notes/2058762

I found them using xSearch with the terms "IPH6034 IPH3017" for the MOB-AFA component.

Thanks,

Keith Nunn
SAP Active Global Support
SAP Canada

Hi, Tevfik.

Most commonly, "Invalid Profile" is the result of an unacceptable character in the Certificate Authority request information (e.g. - filling in the "City" field under the "Request Info" section on the Certificate Authority configuration page with "São Paulo" will cause this because of the "ã" character).  We've also seen specific devices that will always return the error until they're factory reset.

Here's a KBA about it:  https://service.sap.com/sap/support/notes/1986728

Thanks,

Keith Nunn
SAP Active Global Support
SAP Canada

Message was edited by: Keith Nunn