topic Re: Query on using Registration Key to enroll remote access certificate in SASE and Remote Access

Query on using Registration Key to enroll remote access certificate

PJ_WONG — Thu, 27 Feb 2025 08:52:43 GMT

Hi Checkmates,

I am testing on using the registration key for Certificate Enrolment, so that I can distribute the VPN certificates to user using registration key.

However I got message that the enrolment failed.. But if I download the certificate manually then everything works fine.

Am I missing out something to use registration key for enrolment? I have attached the images for reference, appreciate any advise on this.

Thank you.

Re: Query on using Registration Key to enroll remote access certificate

PhoneBoy — Thu, 27 Feb 2025 17:24:00 GMT

What version/JHF of gateway?
What client version?
Did you pull the client logs to see if there any clues there?

Re: Query on using Registration Key to enroll remote access certificate

PJ_WONG — Fri, 28 Feb 2025 02:47:51 GMT

Hi PhoneBoy,

I am using R81.10 JHF 150 in my lab.

The client version is E88.50 Build 98105707

I can see this error in logs:

[TrGUI] EnrollCBFunc: callback called with error code -4 , (Remote Access VPN could not establish connection with Internal CA.

Enter the server IP or server name and try again.

The firewall policy is allow any traffic, and I can ping it, is additional settings needed?

Thanks,

Re: Query on using Registration Key to enroll remote access certificate

the_rock — Fri, 28 Feb 2025 03:00:40 GMT

Does it happen on every machine? Maybe try E88.62 client as a test. Though, based on those messages you sent, appears its communication to the gateway thats failing. Do you see any logs about this in smart console?

Andy

Re: Query on using Registration Key to enroll remote access certificate

PJ_WONG — Fri, 28 Feb 2025 04:15:59 GMT

Hi Andy,

Am able to connect with E88.62 client, appreciate your suggestion on this.

Didn't suspect it is a version issue as the key enrolment should be a basic function..

Thanks,

Re: Query on using Registration Key to enroll remote access certificate

the_rock — Fri, 28 Feb 2025 04:19:39 GMT

Glad we can help. Yea, always something to consider with endpoint clients, for sure.

Andy

Re: Query on using Registration Key to enroll remote access certificate

PhoneBoy — Fri, 28 Feb 2025 16:46:19 GMT

Key Enrollment has been there for quite some time.
Not sure what in E88.50 causes issues with it, but glad the latest version is working.

Re: Query on using Registration Key to enroll remote access certificate

ccsjnw — Wed, 14 Jan 2026 15:28:56 GMT

I worked through this very problem only yesterday!

It's a permission problem. Standard Windows Users (without Administrative permissions have this problem) - but there is an easy solution 😀.

When you do the Certificate Enrolment on the client machine, it actually tries to install two certificates not one - but you have no visibility of this...

The user's specific certificate with its private key can be enrolled into the the User's Personal Certificate Store in Windows (with standard user permissions) without any problem, but the corresponding Issuing Certificate from your Firewall Manager also needs to be located in the Trusted Root Certification Authorities Store on your computer. The certificate enrolment process tries to install the certificate if it doesn't exist, but the process fails if you don't have Administrative permissions on the computer.

The solution is to use Group Policy to pre-distribute the Issuing Certificate to the Trusted Root Certification Authorities Store on all the relevant computers in your domain (for example all your laptop computers):

Required GPO settings:

When you create the GPO, you just need a copy of the required certificate (you can copy it from an already working computer in .cer format). The certificate becomes embedded as part of the GPO object.

After the computers refresh Group Policy, they now have the required certificate located in Trusted Root Certification Authorities Store. Because the valid certificate is now already located on the computer, when you perform certificate enrolment process, it will now work without error.

Re: Query on using Registration Key to enroll remote access certificate

the_rock — Wed, 14 Jan 2026 14:26:51 GMT

Great job!