The CA certificate generated for the host Core machine is mismatched following a re-install or upgrade

Article ID: KB31093

Type: Support Content

Last Modified: 11-04-2013

 

Product(s) Affected:

  • BlackBerry Enterprise Service 10
  • Universal Device Service
CollapseEnvironment
  • Universal Device Service
  • BlackBerry Enterprise Service 10 version 10.1
  • DT 3427327
CollapseOverview
Following a Universal Device Service re-install on the host server or upgrading to BlackBerry Enterprise Service 10 version 10.1, it is observed that iOS devices and Android devices cannot be activated successfully.
CollapseCause

If the Core and Console modules are installed on a different host machine than the Communication module, a re-install of the Universal Device Service software on both machines may result in the CA certificates being mismatched on both machines. This mismatch will ultimately disallow a successful activation of the iOS devices.

The Communication module log shows the following:

FATAL,"2012-06-11 10:06:58,190",11,0,"d1c3fa30-24eb-4451-9224-6bc77f6e9a59","Enroll profile sending error. Please, contact your administrator.",

,Type: System.InvalidOperationException

,Message:

No certificates with key 'b4c0f824187f04b72c9535299dbe51788a51d5f9' found in the store

,Source: RIM.BUDS.Utilities

,TargetSite: "System.Security.Cryptography.X509Certificates.X509Certificate2 GetCertificate(System.String, System.Security.Cryptography.X509Certificates.X509FindType, System.Security.Cryptography.X509Certificates.StoreName)"

,StackTrace: at RIM.BUDS.Utilities.Helpers.CertificateFactory.GetCertificate(String subjectName, X509FindType findType, StoreName storeLocation) in c:\ec_build\604689\BUDSServer\source\enterprise\BUDS\Server\Sources\RIM.BUDS.Utilities\Helpers\CertificateFactory.cs:line 41

, at RIM.BUDS.Core.Client.Model.CertificatesStore.get_CaCertificate() in c:\ec_build\604689\BUDSServer\source\enterprise\BUDS\Server\Sources\RIM.BUDS.Core.Client\Model\CertificatesStore.cs:line 33

, at RIM.BUDS.Communication.iOS.ProfileServices.Handlers.EnrollHandler.DoEnroll(Boolean isDeviceClient, Int32 tenantId, Int32 userId, String hash, String language, String osVersion) in c:\ec_build\604689\BUDSServer\source\enterprise\BUDS\Server\Sources\RIM.BUDS.Communication.iOS\ProfileServices\Handlers\EnrollHandler.cs:line 121

The reported CA certificate can be found by the Thumbprint value on the Core module server and has different Thumbprint on the Communication module.

For BlackBerry Enterprise Service version 10.1:

Server fingerprint would not match with received fingerprint in device. By checking the APN settings in Universal Device administration console, the correct certificate which was in use can be found. Follow the below steps to update an SSL certificate for the Communication Module (Configuration guide of BES 10.1)

  1. On a computer that hosts an instance of the BlackBerry Enterprise Service 10 core components, right-click the BES10 Configuration Tool and select Run as administrator.
  2. On the Communication Module tab, select the location for the SSL certificate, and type the password.
  3. Click OK.
  4. Restart Microsoft IIS on the computer.
  5. Repeat steps 1 to 4 for each instance of the BlackBerry Enterprise Service 10 core components.
  6. Start the activation of the iOS device again.
CollapseWorkaround

The following steps can be used as a workaround for this issue:

  1. Export the Core CA certificate from IIS - > Server Certificates
  2. On the host machine that the Communication module is installed on, navigate into IIS -> Server Certificates and delete the existing RIM UDS CA certificate
  3. On the host machine that the Communication module is installed on , import the new RIM UDS CA Certificate obtained from the Core machine (so that the CA certificates now match on both machines)
  4. Restart all services (including the Communication service and Core service on IIS), along with the BlackBerry services  
  5. Activate the iOS or Android device and verify that the activation was successful

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.