SOTI Pulse Logo

Internal Server Error (500) when calling adcsEnrollmentCertificate

AS
Andy Shutler

Hello,

I am using the REST API to create a Certificate Authority in MobiControl. I have successfully called the APIs to create the CA (adcsHttps), add the root certificate (adcsRootCertificate) and add the template information (certificateTemplates).  The final piece to complete this for me is to add the enrollment certificate to the CA. This is done using adcsEnrollmentCertificate.

I have followed the documentation and formatted the request exactly as required, however I keep receiving an Internal Server Error (500).

Can anyone offer me some advice on how to debug this?  I have made sure the certificate pfx file does not contain and certificate chains (this is a requirement). And the Certificate Authority created in MobiControl from this script will allow me to manually load the enrollment certificate pfx after the script is run (so I'm pretty confident its not the format of the PFX file).

Here is a snippet of my code (Powershell):

$EnrollmentCertificatePath = "C:\Test\enrollment.pfx"
$RootCertificatePath = "C:\Test\rootca.der"
$EOL = "`r`n"
 
#
# Create Certificate Authority
#
$AuthHeader = @{}
$AuthHeader["Authorization"] = "Bearer <AuthToken>"
 
try
{
    $CreateCABody = @{}
    $CreateCABody["ReferenceId"]=$null
    $CreateCABody["Name"]="MY NEW CA"
    $CreateCABody["CertificationAuthorityType"]="AdcsPkiHttps"
    $CreateCABody["PolicyServiceUrl"]="https://cesserver.com/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP"
    $CreateCABody["EnrolmentServiceUrl"]="https://cesserver.com/CESSERVER_CES_UsernamePassword/service.svc/CES"
    $CreateCABody["RootCertificateInfo"]=$null
    $CreateCABody["EnrolmentCertificateInfo"]=$null
    $CreateCABody["AuthenticationType"]="UserNamePassword"
    $CreateCABody["CertificateInfo"]=$null
    $CreateCABody["UserName"]="cesuser"
    $CreateCABody["Password"]="password"
    $CreateCABody["CloudLinkAgentName"]=$null
 
    $CreateCABodyJson = $CreateCABody | ConvertTo-Json
 
    $adcsHttps = "https://mobicontrol-server/MobiControl/api/certificateManagement/certificationAuthorities/adcsHttps"
 
    $result = Invoke-restmethod -Uri $adcsHttps -ContentType "application/json" -Method POST -Headers $AuthHeader -body $CreateCABodyJson
 
    $ReferenceId = $result.ReferenceId
 
    Write-Host "Success: New CA created - Reference ID: $ReferenceId"
}
catch
{
    $_.Exception.Message
    exit -2
}
 
#
# Set the root CA certificate for the new CA
#
$Base64EncodedRootCaFile = [Convert]::ToBase64String([IO.File]::ReadAllBytes($RootCertificatePath))
Write-Host "Extracted root CA file contents (base64) - Reference ID: $Base64EncodedRootCaFile"
$CerFilename = 'rootca.cer'
 
$AdcsRootCertBody = $EOL + "--mc_boundary" + $EOL
$AdcsRootCertBody += "Content-Type: application/pkix-cert+json" + $EOL
$AdcsRootCertBody += "{ `"filename`": `"" + $CerFilename + "`" }" + $EOL + $EOL + $EOL
$AdcsRootCertBody += "--mc_boundary" + $EOL
$AdcsRootCertBody += "Content-Type: application/pkix-cert" + $EOL
$AdcsRootCertBody += "Content-Transfer-Encoding: base64" + $EOL
$AdcsRootCertBody += "Content-Disposition: attachment; filename=`"" + $CerFilename + "`"" + $EOL + $EOL
$AdcsRootCertBody += $Base64EncodedRootCaFile + $EOL + $EOL + $EOL
$AdcsRootCertBody = $AdcsRootCertBody + "--mc_boundary--" + $EOL
 
try
{
    Write-Host "Body for AdcsRootCert is:"
    Write-Host $AdcsRootCertBody
    Write-Host "..."
    $adcsRootCertificate = "https://mobicontrol-server/MobiControl/api/certificateManagement/certificationAuthorities/$ReferenceId/adcsRootCertificate"
    $result = Invoke-restmethod -Uri $adcsRootCertificate -ContentType "multipart/related; boundary=mc_boundary" -Method POST -Headers $AuthHeader -body $AdcsRootCertBody
    Write-Host "Success!"
}
catch
{
    $_.Exception.Message
    exit -3
}
 
try
{
    $TemplateBody = @{}
    $TemplateBody["Name"]="User Template"
    $TemplateBody["CertificationAuthorityReferenceId"]="$ReferenceId"
    $TemplateBody["CertificationAuthorityTemplateName"]="UserTemplate"
    $TemplateBody["CertificateTarget"]="Device"
    $TemplateBody["SubjectTemplate"]="CN=test"
    $TemplateBody["AlternativeSubjectTemplate"]=$null
    $TemplateBody["KeySize"]=2048
    $TemplateBody["ShouldRemoveAfterRenewal"]=$true
    $TemplateBody["UseAutoRenewal"]=$true
    $TemplateBody["NumberOfDaysForAutoRenewal"]=60
    $TemplateBody["PreservePrivateKey"]=$true
    $TemplateBody["Disabled"]=$false
    $TemplateBody["PublishToLdap"]=$false
    $TemplateBody["KeyProtection"]="Protected"
    $TemplateBody["HashAlgorithm"]="Sha1"
    $TemplateBody["ValuePeriod"]="Days"
    $TemplateBody["ValuePeriodUnits"]=0
    $TemplateBody["RequireUserAuthentication"]=$false
 
    $TemplateBodyJson = $TemplateBody | ConvertTo-Json
 
    $certificateTemplates = "https://mobicontrol-server/MobiControl/api/certificateManagement/certificationAuthorities/$ReferenceId/certificateTemplates"
 
    $result = Invoke-restmethod -Uri $certificateTemplates -ContentType "application/json" -Method POST -Headers $AuthHeader -body $TemplateBodyJson
}
catch
{
    $_.Exception.Message
    exit -5
}
 
#
# Set the enrollment certificate for the new CA
#
$Base64EncodedEnrollmentCertFile = [Convert]::ToBase64String([IO.File]::ReadAllBytes($EnrollmentCertificatePath))
 
$AdcsEnrollmentCertificateBody = "--mc_boundary" + $EOL
$AdcsEnrollmentCertificateBody += "Content-Type: application/x-pkcs12.metadata+json" + $EOL
$AdcsEnrollmentCertificateBody += "{`"filename`": `"enrollment.pfx`", `"password`": `"mypassword`"}" + $EOL + $EOL + $EOL
$AdcsEnrollmentCertificateBody += "--mc_boundary" + $EOL
$AdcsEnrollmentCertificateBody += "Content-Type: application/x-pkcs12" + $EOL
$AdcsEnrollmentCertificateBody += "Content-Transfer-Encoding: base64" + $EOL
$AdcsEnrollmentCertificateBody += "Content-Disposition: attachment; filename=`"enrollment.pfx`"" + $EOL
$AdcsEnrollmentCertificateBody += $Base64EncodedEnrollmentCertFile + $EOL + $EOL + $EOL
$AdcsEnrollmentCertificateBody += "--mc_boundary--"
 
try
{
    Write-Host "Body for adcsEnrollmentCertificate is:"
    Write-Host $AdcsEnrollmentCertificateBody
    Write-Host "..."
 
    $adcsEnrollmentCertificate = "https://mobicontrol-server/MobiControl/api/certificateManagement/certificationAuthorities/$ReferenceId/adcsEnrollmentCertificate"
    Write-Host "Posting: $adcsEnrollmentCertificate"
    $result = Invoke-restmethod -Uri $adcsEnrollmentCertificate -ContentType "multipart/related; boundary=mc_boundary" -Method POST -Headers $AuthHeader -body $AdcsEnrollmentCertificateBody
 
    Write-Host "Success!"
}
catch
{
# THIS IS WHERE WE END UP WITH AN INTERNAL SERVER ERROR (500)
    Write-Host "Failed to import the PFX file. Ensure the password is correct and that the PFX file does NOT contain CA certificates"
    $_.Exception
}

Thanks!

Andy

REST API
a year ago
SOTI MobiControl
ANSWERS
A
AKMOD@SOTI
a year ago

Hi Andy,

As this need thorough investigation , I would highly recommended that you log a case so that we can delve deeper into the matter.

We request you to please raise a support case at  log a case so that our agent can work on your query as quickly as possible

Kind Regards

Similar Discussions