• Question

  • I'm using WAB enrollment for Windows Phone 8.1. As part of certificate renewal, I'm trying to implement SCEP ROBO (Renew-On-Behalf-Of) support for device to be able to obtain new client certificate automatically. I'm using the following node:


    I'm setting the following values for each of the nodes under Renew:

    ROBOSupport: true

    RenewPeriod: 100

    RetryInterval: 5

    Then I do a GET on the Status and ErrorCode nodes. Returned values:

    Status: 3

    ErrorCode: -2147012859

    Status 3 clearly identifies that the renewal failed. Could someone help me identify the problem?

    • Edited by Shyam Gopi Monday, February 23, 2015 10:25 AM
    Monday, February 23, 2015 10:23 AM

All replies

  • Are you setting the following:

    EntDMID inthe DMClient configuration service provider has to be set before the certificate renewal request is triggered.

    Monday, February 23, 2015 11:12 PM
  • Yes, EntDMID is set prior to Cert renewal.

    Upon further investigation using Fiddler, I noticed that for Cert renewal, the device is essentially doing a (re-)enrollment. That is to say, device goes through the same cycle of DiscoveryService, EnrollmentPolicyService and EnrollmentService all over again. This is in conflict with the MDM document. According to the doc, device directly talks to EnrollmentPolicyService instead of going through DiscoveryService once again. Could you clarify this procedure?

    The My/WSTEP/Renew CSP allows device management to set the ServerURL. At the same time, if the device goes through DiscoveryService for cert renewal, then we would be sending the EnrollmentPolicyServiceUrl as a response to discovery which basically overrides the ServerURL configuration provisioned during a device management session. My inference from this would be that the device should not have to go through discovery service for cert renewal. Do correct me if I’m wrong here.

    • Edited by Shyam Gopi Tuesday, February 24, 2015 5:12 PM
    Tuesday, February 24, 2015 4:58 AM