The CA certificate generated for the host Core machine is mismatched following a re-install or upgrade

Article ID: KB31093

Type: Support Content

Last Modified: 02-11-2015


Product(s) Affected:

  • BES10
  • Universal Device Service
  • Universal Device Service
  • BlackBerry Enterprise Service 10 version 10.1 to 10.2
  • DT 3427327

Following a Universal Device Service re-install on the host server or upgrading to BlackBerry Enterprise Service 10 version 10.1, it is observed that iOS devices and Android devices cannot be activated successfully.

During an enrollment of a device, activation will fail with the error:

Enroll profile sending error. Please contact your administrator.


If the Core and Console modules are installed on a different host machine than the Communication module, a re-install of the Universal Device Service software on both machines may result in the CA certificates being mismatched on both machines. This mismatch will ultimately disallow a successful activation of the iOS devices.

The Communication module log shows the following:

FATAL,"2012-06-11 10:06:58,190",11,0,"d1c3fa30-24eb-4451-9224-6bc77f6e9a59","Enroll profile sending error. Please, contact your administrator.",
,Type: System.InvalidOperationException
No certificates with key 'b4c0f824187f04b72c9535299dbe51788a51d5f9' found in the store
,TargetSite: "System.Security.Cryptography.X509Certificates.X509Certificate2 GetCertificate(System.String, System.Security.Cryptography.X509Certificates.X509FindType, System.Security.Cryptography.X509Certificates.StoreName)"
,StackTrace: at RIM.BUDS.Utilities.Helpers.CertificateFactory.GetCertificate(String subjectName, X509FindType findType, StoreName storeLocation) in c:\ec_build\604689\BUDSServer\source\enterprise\BUDS\Server\Sources\RIM.BUDS.Utilities\Helpers\CertificateFactory.cs:line 41
, at RIM.BUDS.Core.Client.Model.CertificatesStore.get_CaCertificate() in c:\ec_build\604689\BUDSServer\source\enterprise\BUDS\Server\Sources\RIM.BUDS.Core.Client\Model\CertificatesStore.cs:line 33
, at RIM.BUDS.Communication.iOS.ProfileServices.Handlers.EnrollHandler.DoEnroll(Boolean isDeviceClient, Int32 tenantId, Int32 userId, String hash, String language, String osVersion) in c:\ec_build\604689\BUDSServer\source\enterprise\BUDS\Server\Sources\RIM.BUDS.Communication.iOS\ProfileServices\Handlers\EnrollHandler.cs:line 121

The reported CA certificate can be found by the Thumbprint value on the Core module server and has different Thumbprint on the Communication module.

For BlackBerry Enterprise Service 10 version 10.1:

Server fingerprint would not match with received fingerprint in device. By checking the APN settings in Universal Device administration console, the correct certificate which was in use can be found. Follow the below steps to update an SSL certificate for the Communication Module (Configuration guide of BES10 version 10.1)

  1. On a computer that hosts an instance of the BlackBerry Enterprise Service 10 core components, right-click the BES10 Configuration Tool and select Run as administrator.
  2. On the Communication Module tab, select the location for the SSL certificate, and type the password.
  3. Click OK.
  4. Restart Microsoft IIS on the computer.
  5. Repeat steps 1 to 4 for each instance of the BlackBerry Enterprise Service 10 core components.
  6. Start the activation of the iOS device again.
  1. Export the Core CA certificate from IIS > Server Certificates
    1. Open IIS Manager
    2. Highlight the Machine Name on the left.
    3. Click on Server Certificates under IIS section on the right.
    4. Click on the RIM UDS CA Certificate.
    5. Click Export on the left hand options.
  2. Navigate into IIS > Server Certificates and delete the existing RIM UDS CA certificate on the host machine that the Communication module is installed on,
  3. Import the new RIM UDS CA Certificate obtained from the Core machine (so that the CA certificates now match on both machines) on the host machine that the Communication module is installed on.
  4. Restart all services including:
    • The Communication service
    • The Core service on IIS
    • The BlackBerry services
  5. Activate the iOS or Android device and verify that the activation was successful.


By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.

Visit the BlackBerry Technical Solution Center at