If you are having issues with Intune SCEP certificate issuance, and are confused by the “Error” with no additional information, this page will help you troubleshoot the most common issues with Intune SCEP Certificate Issuance. The first step to troubleshooting Intune SCEP if using EZCA is to go to EZCA and go to Certificate Authorities, if you have some misconfiguration in your CA you will see a red box with the error message. The most two common issues that you will see in EZCA are Note the error message will display for 24 hour after it is fixed:
This Error happens when you have a SCEP request for a CA that has been deleted in EZCA. To solve this issue you will need to go to EZCA and click on Certificate Authorities and make sure that the CA URL that you are using in Intune SCEP matches the CA URL in EZCA.
To get the logs from MacOS you will need to use the Terminal and run the following command:
log show --info --debug --predicate 'subsystem == "com.apple.SCEP"' --last 1h
This will give you the last hour of SCEP logs, you can change the --last 1h
to --last 1d
to get the last day of logs.
If you see an error containing: “Error Domain=MDM-SCEP Code=15001 “Unable to create identity from signed certificate ==> -25300 (The specified item could not be found in the keychain.)” It means that the computer was not able to validate the CA that issued the certificate. Make sure that the CA Certificate in the Intune SCEP profile is the same as the CA that issued the certificate.
Getting Logs out of Android is a bit more complicated than Windows and MacOS, hence I recommend getting your profiles working on Windows and MacOS first before moving to Android. The main difference between Android (if you are using a two tier PKI, meaning a Root CA and Issuing CA) and Windows/MacOS is that Android does expect the CA Certificate in the SCEP profile to be the Root CA Certificate and not the Intermediate CA Certificate.
Yes, Intune SCEP Certificates are automatically renewed, this is done automatically by Intune and the device will automatically renew the certificate when it is about to expire. You can control the renewal period in the Intune SCEP Profile, the default is 20% of the lifetime before the certificate expires.