Troubleshoot HTTP errors from Connector for SCEP
When your client triggers a Connector for SCEP dataplane API action and it results in an error, Connector for SCEP sends a HTTP response code to the requesting client with information about the error.
In addition to the service responses provided directly to your clients, you can use the monitoring tools described in the Monitor Connector for SCEP section to view and debug errors resulting in an HTTP error.
The following are error messages returned by the service to SCEP clients, the potential causes, and the steps you can take to resolve the issues.
HTTP 400 Bad Request
An HTTP 400 response code means that Connector for SCEP can't process the request due to an apparent client error, such as missing or invalid data in the request. If the error results from a SCEP-protocol specific error, Connector for SCEP includes the SCEP response as a binary in the message. Connector for SCEP APIs can return 400 responses for any of the following reasons.
Response header (x-amzn-ErrorType) | Error message (x-amzn-ErrorMessage) | Root cause | Remediation | Includes SCEP response? |
---|---|---|---|---|
LimitExceededException |
Certificate authority issuance limit exceeded. |
The private certificate authority (CA) associated with the connector has exceeded its quota for the number of certificates it can issue. |
A SCEP connector can only be connected to one private CA through its lifetime. If you have exhausted the limits of your private CA, either create a new connector or request a quota increase. For more information about private CA quotas, see Amazon Private Certificate Authority quotas. |
No |
ValidationException |
The request must contain base64. |
Connector for SCEP can't process the HTTP GET request because the body isn't valid Base64. |
If possible, configure your clients to use HTTP POST messages instead of HTTP GET messages. If you must use HTTP GET, the messages must use the Base64 format. If your clients are incompatible with these requirements, contact Amazon Web Services Support |
No |
ValidationException |
The certificate authority is not active. |
The private CA associated with the connector is inactive. |
Reactivate the private CA. For information, see Update a private CA in Amazon Private Certificate Authority. |
No |
ValidationException |
The certificate authority certificate validity must be at least one year from today. |
The private CA associated with the general-purpose connector must have a validity period of one year from today. |
Reissue the certificate with a validity period greater than one year from today. For information about managing certificates, see Manage the private CA lifecycle . |
No |
ValidationException |
The certificate included in the request is expired. |
The transient certificate generated by the client device on each transaction was expired on reception by the service. |
It's most likely that your client devices don't have their time settings properly configured, and they're creating certificates with dates behind the real time. If you can't resolve this issue, contact Amazon Web Services Support |
No |
ValidationException |
The request contains invalid Cryptographic Message Syntax. |
The service was unable to decode the SCEP request message. |
Check if your SCEP messages conform to the Cryptographic Message Syntax defined in SCEP RFC 8894 |
No |
ValidationException |
The connector is not active. |
The connector's status is not active. |
You can find a connector's status in the console or in the Status field in the API. A connector's status can be creating, active, deleting, or failed. If the status is creating, try your request later. If the status is failed, view the status reason to troubleshoot the issue, and then create a new connector. |
No |
ValidationException |
There must be a valid certificate included in the request. |
The transient certificate included in the request message from the client was either missing or invalid. |
SCEP-compatible clients must provide a self-signed certificate to authenticate themselves. If your client is unable to provide the required self-signed certificate, contact Amazon Web Services Support |
No |
ValidationException |
The request URI is invalid. |
Connector for SCEP can't parse the request because the URI path or query of the request are invalid. |
Administrators should verify the configuration settings of the client devices, which are typically managed through a Mobile Device Management (MDM) system. For more information, see Step 2: Copy connector details into your MDM system. |
No |
ValidationException |
Exactly one host header is required in the request. |
The client did not provide a valid HTTP Host header in the request, which is required for the request to be processed. |
The HTTP host header is required to distinguish requests coming to different connectors. If your client is unable to provide the required HTTP host header, contact Amazon Web Services Support |
No |
ValidationException |
The request could not be decoded. Please send a valid SCEP request. |
The service couldn't decode and process the Cryptographic Message Syntax (CMS) request that your client sent. |
If your clients are having trouble with our implementation of SCEP, note the request ID ( |
No |
ValidationException |
The response could not be encoded with values derived from the request. Please send a valid SCEP request. |
The service wasn't able to encode the SCEP response. |
This issue usually occurs when the service is unable to use the provided requestor certificate to properly encode the SCEP response message. This can happen, for example, if the requestor certificate has an Elliptic Curve Digital Signature Algorithm (ECDSA) key, which Connector for SCEP doesn't support. If you encounter this problem, first configure your MDM or SCEP client to use RSA. If you still can't resolve the issue, note the request ID ( |
No |
ValidationException |
Unsupported algorithm: <OID> |
The request was either signed or encrypted by an unsupported cryptographic algorithm. |
Our service doesn't support certain outdated and weak cryptographic algorithms. This information is communicated to clients through the If your clients appear to be incompatible with the cryptographic algorithms supported by our service, contact Amazon Web Services Support |
No |
ValidationException |
Unsupported PkiOperation messageType. |
The request message contained an invalid |
Our service supports only a subset of the SCEP protocol message types defined in RFC 8894. Specifically, we recognize and process the following message types: CertRep, PKCSReq, GetCert, GetCRL, and CertPoll. We communicate the supported message types to clients through the GetCACaps method. Unfortunately, some clients may not be utilizing this method and could be non-compliant with our service's capabilities. If your clients appear to be incompatible with the SCEP message types supported by our service, contact Amazon Web Services Support |
No |
BadRequestException |
The challenge password is invalid. |
The challenge password provided by the client was invalid for the contacted service endpoint and its associated connector. The challenge password is a required security measure defined in the SCEP protocol to ensure only authorized clients can access the service. |
Make sure that your client is providing the correct challenge password in its request. You can find in the connector details in the console or through the GetChallengePassword API. For more information, see Step 2: Copy connector details into your MDM system. |
Yes |
BadRequestException |
Exactly one challenge password is required in the certificate signing request. |
The client provided either zero or multiple challenge passwords in its request. |
Make sure that your client is providing one challenge password in its request. You can find challenge passwords in the connector's details in the console or through the GetChallengePassword API. For more information, see Step 2: Copy connector details into your MDM system. |
Yes |
BadRequestException |
The connector does not have access to Azure. |
Connector for Microsoft Intune authorizes client requests through Microsoft Intune. This requires that you grant permission for Connector for SCEP to access your Azure resources. |
Configure the permissions detailed in Step 1: Grant Amazon Private CA permission to use your Microsoft Entra ID Application. |
Yes |
BadRequestException |
The Azure application does not have access to perform <action>. |
Connector for Microsoft Intune authorizes client requests through Microsoft Intune. This requires that you grant permission for Connector for SCEP to access your Azure resources. |
Configure the permissions detailed in Step 1: Grant Amazon Private CA permission to use your Microsoft Entra ID Application. |
Yes |
BadRequestException |
The Azure application was not found. |
Connector for Microsoft Intune authorizes client requests through Microsoft Intune. This error indicates that you don't have an App Registration in your Microsoft Entra ID, or your connector's Intune details are misconfigured. |
Follow the guidance in the Configure Microsoft Intune for Connector for SCEP topic. |
Yes |
BadRequestException |
Intune certificate signing request validation failed. Reason: <reason> |
Connector for Microsoft Intune authorizes client requests through Microsoft Intune. This error message indicates that the Intune validation process has failed, and the corresponding Intune error code is provided. |
Follow the guidance in the Configure Microsoft Intune for Connector for SCEP topic. If your problem persists, contact Microsoft Support. |
Yes |
BadRequestException |
Unsupported PkiOperation messageType: <message type>. |
The request message contained an invalid message type and could not be processed by the service. |
Our service supports only a subset of the SCEP protocol message types defined in RFC 8894. Specifically, we recognize and process the following message types: CertRep, PKCSReq, GetCert, GetCRL, and CertPoll. We communicate the supported message types to clients through the GetCACaps method. Unfortunately, some clients may not be utilizing this method and could be non-compliant with our service's capabilities. If your clients appear to be incompatible with the SCEP message types supported by our service, contact Amazon Web Services Support |
Yes |
BadRequestException |
Key algorithm or length is not supported. |
The service does not support the provided public key included in the certificate signing request. |
Our service only supports standard RSA keys up to 16,384 bits, and ECDSA keys up to 521 bits. If your clients require the use of a currently unsupported algorithm, please contact Amazon Web Services Support |
Yes |
HTTP 401 Unauthorized
A 401 Unauthorized response status code indicates that the client request hasn't been completed because it lacks valid authentication credentials for the requested resource.
Response header (x-amzn-ErrorType) | Error message (x-amzn-ErrorMessage) | Root cause | Remediation | Includes SCEP response? |
---|---|---|---|---|
AccessDeniedException |
The connector does not have access to the certificate authority. |
Connector for SCEP doesn't have access to the connector's associated private CA. |
Share your private CA with the Connector for SCEP using Amazon Resource Access Manager. |
No |
AccountDoesNotExistException |
The Amazon account does not exist. |
The Connector for SCEP resource no longer exists. |
The account owning the target resource has been deleted. If this was done by mistake, contact Amazon Web Services Support |
No |
HTTP 404 Not Found
An HTTP 404 response code usually means that the resource you were looking for couldn't be found.
Response header (x-amzn-ErrorType | Error message (x-amzn-ErrorMessage) | Root cause | Remediation | Includes SCEP response? |
---|---|---|---|---|
ResourceNotFoundException |
The certificate authority does not exist. |
The connector's associated private CA has been deleted. |
There is a grace period during which a private Certificate Authority (CA) can be restored if it has been deleted by mistake. For more information, see Restore a private CA. |
No |
ResourceNotFoundException |
A connector with endpoint <URL> doesn't exist. |
The client device has attempted to connect to a URL that doesn't belong to any existing connectors. |
Make sure that your client is providing the correct endpoint for the connector. To view a connector's |
No |
HTTP 409 Conflict
An HTTP 409 Conflict response signals that a private CA associated with a connector has changed since the request was initiated.
Response header (x-amzn-ErrorType) | Error message (x-amzn-ErrorMessage) | Root cause | Remediation | Includes SCEP response? |
---|---|---|---|---|
ConflictException |
The connector has changed since the request was initiated. |
The private CA associated with the connector has been updated, triggering a rotation of the connector's internal certificate used for communication with client devices via SCEP. This certificate rotation may result in temporary issues during the update period, as the new certificate is being deployed. However, this error should be resolved automatically in a timely manner. |
Try your request again in a few minutes. If the problem doesn't resolve, contact Amazon Web Services Support |
No |
HTTP 429 Too Many Requests
Connector for SCEP has account-level quotas, per Region. If you exceed the limit of requests to a connector, your requests will be denied with an HTTP 429 error. If you need to increase your quota, see Amazon Private Certificate Authority endpoints and quotas.
Response header (x-amzn-ErrorType) | Error message (x-amzn-ErrorMessage) | Root cause | Remediation | Includes SCEP response? |
---|---|---|---|---|
ThrottlingException |
The request was denied due to request throttling. |
Too many requests have been issued to this Connector, triggering some requests to be denied. This certificate rotation may result in temporary issues during the update period, as the new certificate is being deployed. However, this error should be resolved automatically in a timely manner. |
If you exceed the limit of requests to a connector, your requests will be denied. If you need to increase your quota, see Connector for SCEP endpoints and quotas. |
No |