Caught Certificate request refused by certification manager, subject identity not proven

  • Article ID: 121087
  • Updated: 30 Jun 2015

Issue

The following error is shown in the Sophos Remote Management (RMS) Router log:

[DATE] [TIME] E Router::Start: Caught Certificate request refused by certification manager, subject identity not proven

First seen in

Enterprise Console 5.2.1 R2

Cause

The message router does not have a certificate.

What To Do

The three identity keys held in the endpoint's registry must be present and match the the server's keys.  The table in the section 'Cross reference of registry values to configuration values' below provides information that will allow you to cross reference the registry keys to the values in the mrinit.conf file.

If you determine that the values do not match, or are unsure if they match/the problem continues, perform the following:

  1. Re-protect the endpoint computer from the central distribution share (e.g., via a manual install).  Check if the problem has corrected itself.  If not continue to step two.
  2. Create an RMS re-initialization script (reinit) using article 116737 and run on the endpoint computer.

Cross reference of registry values to configuration values

MRInit.conf value Corresponding registry key
DelegatedManagerCertIdentityKey HKLM\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private | CertificationIdentityKey
ManagedAppCertIdentityKey HKLM\SOFTWARE\Wow6432Node\Sophos\Remote Management System\CertificationIdentityKeys | ManagedApplication
RouterCertIdentityKey HKLM\SOFTWARE\Wow6432Node\Sophos\Messaging System\CertificationIdentityKeys | CertificationIdentityKey

Example of checking the RouterCertIdentityKey:

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments