The system cannot find the file specified. 0x80070002 (WIN32: 2)

The REA signing certificate might not be present on the console/DS server’s certificate store. You might have added it using your awsso AD user. These AD user-uploaded mmc certificates remain specific to that instance since they are not Network Admin users. Therefore, the private key of REA certificate uploaded using awsso\shwethan cannot be accessed by airwatchdev\svcscep (network admin).

When adding REA signing certificate to mmc, make sure you login as network admin (airwatchdev\svcscep) and then add it to certificate store and give proper network service access to it so that other network admin users can also access it. When you provide Service Account credentials on CA configuration page in airwatch console, you are asking console/DS server to do 'remote call' to the server hostname (atl01devcs21 in this case) using these service account credentials.

Object reference not set to an instance of an object

In this case, CA server was receiving the certificate request (you can always check this by login to CA server and check its Failed requests), but it failed due to policy module denying the request. This happens either because the LDAP forest referrals are not set (Step 1 of CA server) OR the user domain used is not correct/not associated with the CA server.

Looking at ‘Issued certificates’ on CA server, it was clear that requests only from Airwatchdev domain are processed and awsso domain requests are rejected (atl01devcs21 CA is synced only with Airwatchdev AD, not with awsso). Therefore, we changed the directory mapping on the LGs to Airwatchdev and users from this domain for enrolling devices. Profile lands on the device with correct client certificate for REA.