Symptom
After upgrade to ISE 1.2, Apple Iphone and IPAD do not proceed with SCEP certificate provisioning. When the ISE presents its certificate the Apple device does not continue with the SCEP request. The problem only happens with Apple iOS devices, Android is not affected. The following error is seen on iphone/ipad "the registration Authorities response is invalid"
Conditions
The problem only happens with Apple iOS devices, Android is not affected.
The problem only happens with Iphone/Ipad when Digicert public certificates are used on ISE.
The problem on happens after ISE has been upgraded to 1.2.
Workaround
iOS devices expect "DigiCert High Assurance EV Root CA" being a certificate signed by itself as root.
if ISE is having the chain configured in this way:
"ISE cert"
"ISE cert" Signed by "DigiCert High Assurance CA-3"
"DigiCert High Assurance CA-3" Signed by "DigiCert High Assurance EV Root CA"
"DigiCert High Assurance EV Root CA" Signed by "Baltimore CyberTrust Root"
SCEP will break because the chain is not what the iOS device expects.
Workaround:
1) Go on ISE GUI under certificate click on Certificate Store
2) Delete the certificate "DigiCert High Assurance EV Root CA" Signed by "Baltimore CyberTrust Root"
3) Open the ISE admin GUI with Firefox, View the certificate, the chain, click on "DigiCert High Assurance EV Root CA"
4) Export it and then import it on ISE Certificate Store, trust for Client Auth.
5) SCEP should work now and you should no longer get "Registration authority response is invalid" error message on the iOS device
Further Problem Description
