Skip to main content
matthewc3
matthewc3
New Member
May 15, 2025
Question

EMS custom certificate not being pushed out to endpoints

  • May 15, 2025
  • 3 replies
  • 1777 views

I am unable to push a certificate to endpoints on EMS.

 

I have uploaded the certificate in EMS, and I can confirm that EMS has picked it up and is reporting the certificate is valid.

 

Under the Systems Settings Profile, I have checked "Install CA Certificate on Client" and checked my certificate.

 

I can confirm that the System Settings Profile is applied to the group my test endpoint is in.

 

I can also confirm the certificate is valid, I was able able to manually install and trust it on my test system.


I know this setting works with another certificate, as we are using it to push a different certificate to endpoints. However, this new certificate is not being pushed out.

 

I cannot find anything in the documentation about this -- does anyone know why a certificate would not be sent out to endpoints?

    3 replies

    jay_rich
    jay_rich
    Explorer
    May 16, 2025

    If EMS successfully pushes other certificates but not this new one, the issue may be with how the new cert was imported. Double-check that it's in the correct format (PEM or DER), includes the full certificate chain, and is marked as trusted in EMS. Also, try re-uploading and reassigning it in the profile.

      matthewc3
      matthewc3Author
      New Member
      May 16, 2025

      Thanks for this -- my cert is in pem format (I even renamed the extension to .pem, which still didn't work). What do you mean by "marked as trusted" -- where can I set this? 

      AEK
      SuperUser
      AEK
      SuperUser
      May 17, 2025

      Hi Matthew

      The option "Install CA Certificate on Client" is to push CA certs, not server certificates or user/client certificates.

      So in case the certificate you are trying to push is not a CA certificate then I don't think it will be pushed to the client.

      AEK
        matthewc3
        matthewc3Author
        New Member
        May 19, 2025

        This is a root CA certificate -- not a leaf certificate or intermediate certificate. I have also tried combining the root cert and the intermediate cert to see if that gets pushed out, to no avail. 

         

        I can see all the cert details on EMS, and can install this cert manually on any endpoint, so I know the cert is valid.

        AEK
        SuperUser
        AEK
        SuperUser
        May 21, 2025

        Anything relevant in the client logs?

        AEK
        matthewc3
        matthewc3Author
        New Member
        May 21, 2025

        Where should I be looking? The only slightly suspicious line I can find is in epctrl.log:

         

        20250521 08:49:32.176 TZ=-0700 [epctrl:EROR] endpoint_impl:274 Failed to import certificate

         

        Which is largely unhelpful. I also can't find the name of my cert anywhere in the logs.

         

        Terms & ConditionsAccessibility statement