Use the SSL pinning certificate tool when the notifications are not delivered to the devices. This tool is only used for troubleshooting purpose and is not a mandatory step during installation. The following error message appears in the ENS logs while posting the notifications to CNS: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

The following procedure describes the steps to upload the SSL pinning certificate to the ENS.

Prerequisites

Download the latest certificate from: http://resources.workspaceone.com/view/2hjxzvgkxyf8n738hy7x/en.

Procedure

  1. Click the SSLPinningCertTool shortcut on the ENS server, or navigate to the <ENS_INSTALL_DIR>\Email Notification Service\Tools\SSLPinningCertTool\SSLPinningCertTool.exe file.
  2. Click the Upload CNS Certificate button.
  3. Select the certificate to be uploaded and click Submit.
    If the following screen appears, then the certificate is successfully added to the ENS configuration file. Click OK to continue. After uploading the SSL pinning certificate on the ENS, the tool adds the public key of the certificate to the ENS configuration file. When the ENS posts payload to the CNS, the certificate validation is done against the newly added certificate public key.

    If the following screen appears, then the certificate is added successfully to the resubscription configuration file. After uploading the SSL pinning certificate, the tool adds the public key of the certificate to the resubscription configuration file. When the resubscription mechanism posts payload to the CNS, the certificate validation is done against the newly added certificate public key.

    If the certificate is already present in both the configuration files, then the following prompt message appears:

    The upload pinning certificate process works as follows:

    • The SSL pinning certificate tool tries to upload the certificate to the ENS configuration file only if the provided certificate is not present in the ENS configuration file. If the given certificate is already present, then the tool does not prompt any message and continues to upload the same certificate to the resubscription configuration file.
    • The SSL pinning certificate tool tries to add the certificate to the resubscription configuration file only if the provided certificate is not present in the resubscription configuration file. If the given certificate is present, then the tool does not prompt any message to user.
    • If the certificate is added to the resubscription configuration file, then restart the AirWatch Resubscription Mechanism service in the Services tab.