Troubleshoot Connector for SCEP client errors - Amazon Private Certificate Authority
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Troubleshoot Connector for SCEP client errors

Use the following guidance to troubleshoot client errors related to Connector for SCEP.

Message example Root cause Solution

ECDSA keys are not supported

The connector is connected to a private CA that uses an ECDSA key instead of RSA. While this service supports ECDSA keys, not all client devices may be compatible with this algorithm.

Consider using an RSA-encrypted private CA instead of ECDSA. If you create a private CA that uses RSA, you'll need to also create a new connector. A connector can only be tied to one private CA through its lifespan.

Encryption or signing certificate is not present

According to RFC 8894, a SCEP service returns intermediate CA certificates to the client. These certificates are used by the client to perform encryption and signature validation operations as part of the SCEP protocol.

Connector for SCEP uses the same certificate for both encryption and signature validation purposes, which is a common approach. However, some clients may expect to have two separate certificates instead.

If you are unable to use compatible clients, contact Amazon Web Services Support for assistance.