Troubleshoot SCEP
Check the audit log messages under Reporting & Auditing > Audit logs menu. Notice any log entries with a Failure status.
SCEP error codes and messages
This is not a comprehensive list, only a selection of most commonly encountered error messages.
Message | Code | Resolution |
---|---|---|
Failed to decrypt a PKCS7 message | 404 | The CA associated to your profile is not enabled for SCEP operations. Provided you have account permissions to edit CA configuration, open CA Manager, search for your Issuing CA and enable it for SCEP operations. |
Could not find seat with identifier = xxxxxxx using subject.common_name as seat id mapping | 404 | The CSR value mapped to your profile’s seat ID could not be found. Ensure that you create and enroll the seat ID against your SCEP-enabled profile, either manually or in bulk by the CSV upload process. |
Challenge password is invalid - does not match the value configured by the Administrator | 401 | Enrollment Code ↔ Challenge Password (in SCEP CSR) mismatch. Make use of a valid enrollment code associated to the seat ID you are requesting a certificate for, and include it within the Challenge Password attribute of your CSR. Also, ensure that the enrollment code has not been redeemed previously, and is still in created status. |
No SCEP enrollment with status = CREATED exists for seat with identifier = xxxxxx | 400 | You have created a seat ID, but have not enrolled it against a profile. Enroll the failed seat ID against a SCEP-enabled profile, either individually or in bulk by uploading a CSV file. |
Failed to renew the specified certificate: renewal is not permitted until 2021-12-07T11:56:37Z[UTC] | 400 | You attempted to renew a certificate via SCEP, which is outside the renewal window. Ensure you submit the renewal request inside the renewal window set for the target certificate profile. |
CSR key length 4096 does not match 2048 | 400 | Key size provided inside profile settings does not match key size that was launched via script (see Create key pair step). Make sure you provide the same key size inside profile settings and on “Create key pair” step in this instruction. |
Failed to renew the specified certificate: it already has been renewed | 400 | The certificate was already renewed. Apparently renew script was launched twice on the same certificate. Make sure you haven’t renewed your certificate before. |
Failed to renew the specified certificate: it has been revoked | 400 | The certificate you are trying to renew is in revoked status. Make sure your certificate in active status before trying to renew it. |