Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3442
Views
2
Helpful
4
Replies

Encryption

pedrocallrail
Visitor

‎11-08-2023 01:10 PM

What does this mean? The encryption certificate referenced by the FileVault Recovery Key Escrow payload is invalid or does not support encryption.

Labels:
0 Helpful
4 Replies 4

BlakeRichardson
Meraki Community All-Star
Meraki Community All-Star

‎11-08-2023 01:44 PM

It sounds like System manager isn't able to access the Fault vault recovery key because the payload is corrupted or something has gone wrong when the device uploaded the payload to systems manager.

Is the MDM certificate on the device still valid or has it expired?

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Arthur Dent
Cisco Employee
Cisco Employee

‎11-10-2023 04:42 AM

@pedrocallrail Can you take us through the flow you use to create the certificate, and which type of FileVault profile you are using?

0 Helpful

pedrocallrail
Visitor
In response to Arthur Dent

‎11-14-2023 12:24 PM

I'm following: https://documentation.meraki.com/SM/Other_Topics/Creating_a_Public%2F%2FPrivate_Certificate_Pair and https://documentation.meraki.com/SM/Profiles_and_Settings/Using_File_Vault_2 It is not providing a .pem certificate. I am trying to create a :

macOS FileVault Recovery Key Escrow profile

0 Helpful

aleabrahao
Meraki Community All-Star
Meraki Community All-Star
In response to pedrocallrail

‎12-07-2023 11:30 AM

Creating a macOS FileVault Recovery Key Escrow profile involves generating a public/private key pair and then using the public key to encrypt the FileVault recovery key.

You can use a tool like OpenSSL to generate a public/private key pair. The private key should be kept secure, as it will be used to decrypt the FileVault recovery key.

In the Meraki dashboard, create a new profile and select the ‘FileVault Recovery Key Escrow’ payload. In the ‘EncryptCertPayloadUUID’ field, enter the UUID of the payload that contains the public key. This will be used to encrypt the recovery key.

Once the profile is created, you can apply it to your devices. The devices will then escrow their FileVault recovery keys, encrypted with the public key, to the Meraki dashboard.

Please note that the certificate file used for the ‘EncryptCertPayloadUUID’ field should be in PEM format. If you’re having trouble generating a PEM certificate, you might want to check the commands you’re using with OpenSSL.

The typical command to generate a PEM encoded certificate is something like this:

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt

This command generates a new RSA key (server.key) and a self-signed certificate (server.crt). Both are in PEM format.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Helpful
Customers Also Viewed These Support Documents