NDES cannot enroll certificates to iOS

Posted by

I don’t know how many NDES/SCEP installations I have been doing until today, still there are a lot of dependecies and a couple of pitfalls that comes up every now and then.

I have my checklist I always follow, semi-automated (that may be another post if interesting?)

Anyway, after spending quite a lot of hours troubleshooting the NDES/SCEP installation, I will try to sum up some tips for troubleshooting.

First of all there is a very good knowledge base article that will guide you thru all the steps:


Second, if you haven’t tried the deployment verification scripts, try them, they are really handy for finding small errors such as spelling. For the record my specific problem was not found with this script.



My specific problem here was that Windows devices and Android devices got SCEP certficates, as excepted but Apple devices did not. There was no error code or similar that helped me in the right directions, and iOS devices are a bit tricky to troubleshoot.

Anyway, after going thru all settings over and over again, I finally configured a new server from scratch, and still the same problem.

Now I had a server that I could troubleshoot in depth, so I fired up ProcMon64.exe and started to filter out ndes processes and IIS/w3wp.exe. So here I got some indication of error, see screenshot below. I filtered out a lot of messages, so I highlighed just the important once here


When this came up I thought about the root certificate, and took a look (I know, Swedish sorry for that). But it says Signing algorithm RSASSA-PSS, I never stumbled over that before, so more digging.


I compared the installation with others and all of these has sha256, not RSASSA-PSS, so I started searching some forums and came across something interesting.



I couldn’t find any official statement from Apple says that RSASSA-PSS is not supported only these discussions stating something like “may not be supported”.

Now time to change your algorithm, but that’s another story, so please advise your PKI-guy


I hope you got ideas for troubleshooting your environment, and I’ll try to contribute some changes in the troubleshooting scripts.

And remember to not use RSASSA-PSS signing algorithm for Apple devices





Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.