Import HTTPS certificate chain for MDM

Import  HTTPS certificate root CA

validation-status-icon-infoNOTE: Do not perform this certificate import for Mobile Device Connector version 7.0 and later.

When using a non-self-signed HTTPS certificate for MDM, the certificate's root CA needs to be imported into Windows' certificate store, so that the OS will send the CA to clients connecting to it. You need to obtain the public key of the root CA that was used for signing the HTTPS certificate.

If the HTTPS certificate was generated by the ERA Server  during ERA MDC installation, the root CA is the ERA Certificate Authority (ERA CA). You can export this public key from the ERA Web Console  from Admin -> Certificated -> Certification Authorities, and selecting the Export Public Key option from the context menu of the ERA CA.

MDM_https_cert_export

1.Run mmc.exe to open Management Console.

2.Select File > Add/Remove Snap-in… or (CTRL+M).

open_mmc_mdm

3.Under Available snap-ins select Certificates and click Add.

4.Select Computer Account for the certificates to manage, click Next.

computer_account_mdm_cert

5.Select Local Computer and press Finish.

6.Click OK to return to the Management Console.

7.Select Trusted Root Certification Authorities, in context menu select All Tasks > Import.

Select MDM HTTPs certificate file and Import.

9.Restart the ESET Remote Administrator Mobile Device Connector service.

validation-status-icon-infoNOTE: If these steps are not performed, MDM HTTPS Server will send only Server certificate, not the entire chain (intermediate CAs).

validation-status-icon-infoNOTE: Unless the certificate is imported, iOS devices can fail to enroll with the error message: "Profile Installation Failed". Also, MDC will output the following messages in its trace-log (C:\ProgramData\ESET\RemoteAdministrator\MDMCore\Logs\trace.log):

HTTPSSelfCheck detected untrusted root in HTTPS certificate.

Uncaught exception: NodSslException, NodSsl function completeHandshake.RecvEncryptedData returned an error (Handshake failed to complete) for peer [<IP>]:<port>, local [<IP>]:9980

validation-status-icon-infoNOTE: The import is only required for managing iOS devices. Android certificate verification uses a different algorithm, matching the exact certificate, rather than verifying the root CA.

validation-status-icon-infoNOTE: The import is not necessary if you are using a certificate signed by a trusted 3rd party root CA - these are already part of the Windows' certificate store. If not sure, try to import the certificate anyway, doing so will not break the MDC configuration.