ACME Managed Device Attestation - Certificate format

I'm trying to implement ACME managed device attestation, I have ACME server code written in C# and I've been able to get all of the steps working except for the very last one - issuing the certificate.

I so far have not been able to get the device to accept the certificate, the device logs show:

Got certificate {length = ......}
ACME request flow failed at step 9: Error Domain=NSOSStatusErrorDomain Code=-67673 "failed to obtain certificate" UserInfo={NSLocalizedDescription=failed to obtain certificate}

The certificate is issued by an internal CA and the correct root certificate is in the device's trusted certs.

I have tried returning the certificate chain as a file response or content response to the device as a "application/pem-certificate-chain" mime type (as outlined as the default in the ACME RFC), returning just the leaf certificate as PEM, returning the leaf certificate as DER with mime type "application/pkix-cert", "application/pkcs7-mime", "application/x-pkcs12" or "application/x-x509-ca-cert", but none of this has worked.

Can anyone point me in the right direction to figure out what the issue is?

Answered by Device Management Engineer in 778098022

Your ACME server should follow the ACME RFC 8555 section 7.4.2, which states:

The default format of the certificate is application/pem-certificate-chain (see Section 9).

Section 9.1 gives more detail on that.

You wrote:

The certificate is issued by an internal CA and the correct root certificate is in the device's trusted certs.

It's not strictly necessary for the device to trust the CA that is issuing the cert since the device is not acting as a relying party. It's just installing the cert that the ACME server provided. It's only once the device uses the resulting identity that a relying party must trust the CA. The device does need to trust the cert that the ACME server uses to authenticate itself, but that's not necessarily the same as trusting the CA that the ACME server uses to issue certs.

Accepted Answer

Your ACME server should follow the ACME RFC 8555 section 7.4.2, which states:

The default format of the certificate is application/pem-certificate-chain (see Section 9).

Section 9.1 gives more detail on that.

You wrote:

The certificate is issued by an internal CA and the correct root certificate is in the device's trusted certs.

It's not strictly necessary for the device to trust the CA that is issuing the cert since the device is not acting as a relying party. It's just installing the cert that the ACME server provided. It's only once the device uses the resulting identity that a relying party must trust the CA. The device does need to trust the cert that the ACME server uses to authenticate itself, but that's not necessarily the same as trusting the CA that the ACME server uses to issue certs.

ACME Managed Device Attestation - Certificate format
 
 
Q