Troubleshoot Connector for SCEP client errors
Use the following guidance to troubleshoot client errors related to Connector for SCEP.
Message example | Root cause | Solution |
---|---|---|
ECDSA keys are not supported |
The connector is connected to a private CA that uses an ECDSA key instead of RSA. While this service supports ECDSA keys, not all client devices may be compatible with this algorithm. |
Consider using an RSA-encrypted private CA instead of ECDSA. If you create a private CA that uses RSA, you'll need to also create a new connector. A connector can only be tied to one private CA through its lifespan. |
Encryption or signing certificate is not present |
According to RFC 8894, a SCEP service returns intermediate CA certificates to the client. These certificates are used by the client to perform encryption and signature validation operations as part of the SCEP protocol. Connector for SCEP uses the same certificate for both encryption and signature validation purposes, which is a common approach. However, some clients may expect to have two separate certificates instead. |
If you are unable to use compatible clients, contact Amazon Web Services Support |