CNS certificates will expire on February 14, 2022. Omnissa Cloud Operations will be renewing this certificate on February 10, 2022. This article outlines how On-Premise deployments of Email Notification Service (ENS) will receive this update.

Here’s how to recognize if certificates were auto-installed correctly and what to do if you get an error.

Ensure that you are able to reach following URL from ENS server: https://awtrustdiscovery.awmdm.com/autodiscovery/HostRegistry.aws?URL=cns.awmdm.com. If there are any firewall rules preventing from accessing this URL, they should be removed.

The AirWatch AutoDiscovery Checker service will automatically perform required updates. Ensure service is running correctly.

 
Next, review logs for this service at \{ENS installation directory}\Email Notification Service\Services and ensure you are able to see you are able to see the following log statement(s) without errors:  New Certificate Added Successfully



As a final step review \{ENS installation directory}\Email Notification Service\Website\web.config file and ensure that at least 10 pinnedCertificate elements listed under <pinnedCertificates> section.

Troubleshooting

AutoDiscoveryChecker.log file error(s)

Possible Errors:

• Error while searching for public key in existing config file
• Error occurred while updating config File
• Exception while getting latest cert from auto discovery

These errors will be displayed if

• https://awtrustdiscovery.awmdm.com/autodiscovery/HostRegistry.aws?URL=cns.awmdm.com is not reachable.
• If the error is a result of a temporary network failure, the service should attempt to connect to the endpoint again after 24 hours.
• ENS server is configured behind a reverse proxy, or if outgoing traffic is going through a proxy. If this is the case the auto discovery service will not go through that proxy and firewall rules should be updated to allow IP address 192.30.68.111 for the ENS auto discovery service to be able to reach http://awtrustdiscovery.awmdm.com/autodiscovery/HostRegistry.aws?URL=cns.awmdm.com.

Possible Workaround 

SSLPinningCertTool

To add new certificates to ENS, refer to Troubleshooting SSL Errors section for the Config tool usage instructions.

Manual Update

When faced with an inability to change the IP address allow list or if excessive errors are present, the following workaround can be applied to update the public CNS certificates.
Perform the steps below for Web.config and ReSubscriptionMechanism.config files:

1. Navigate to ENS installed directory and open Web.config and ReSubscriptionMechanism.config files.
2. Search for pinnedCertificates section
3. Add pinned Certificate as mentioned below with the new publicKeyString <pinnedCertificates>
   Note: Make sure all below public key strings are present in the pinnedCertificates section of both the config files.

   <pinnedCertificates>
       <pinnedCertificate publicKeyString = "3082010A0282010100EC24C465088D28F71D8CB580D284EC45F4E504B7D0381E2F9A58179F315E6B6A3520BE8B4A31662E10D7ECEBDCE05267E2D76F4907C55905BFA77489886B96A67070FDF224E7792B5300DEB8B7A7893FC3A9856DC8AFF6903A68F9578ECD35822A487F2721D4416A8F233E689111E04B0F49E4B666DACE88A9D591DFB83107986B1EB13F0E51574A7BDC3075E303300B83F8C938C66068C0023FB03F38D42C808643BCC93EEFF6E4B0C4844A06C1A13A3F10AFDDAA55A5B18AE96AAE893B7655D8B83C743323207A10C123CABD7DE6B6C80E6942CF767CCC109D608E14328B269CC7B8E33260A21117EEF0397AB4B719E63F81C8CC13916DE4ADB2AB59680C0F0203010001"/> 
       <pinnedCertificate publicKeyString = "3082010A0282010100C4664D435554D59AA1B7B79130D59EA5304DB1D83DBEA0F3D71253B94AA26BB8D41D324B9A9C223E7149FDC1FBCAA908E447993642E886EC75C0D076EB8E1D5A437192C695FD3A4BEE079866D92BDC9EB1A4B5C1B77B5F9902ED8279AE888E18279C7798E2E03355AA57236E62F8D0582E719566C2C64CC69F7EC14930CB3C034E2A1C9F6145489B26E868DF5CC46A4B0A7387D4D6998A43C5B1C45EAD0BDD9388685FAF9D73235275625EB9F7CF0B1FB8D2ED9B64A314BE9930CF4D62488485DD96033B1A6C9751948096AA54F106731B0306B0D5D8EE159C15755266AA95BD9A08ABADEFCB1707B1010E551C711DE0F8123FE88BF5F256CD16E2253E43FBF30203010001"/> 
       <pinnedCertificate publicKeyString = "3082010A0282010100CFAA53F2178DF86938F71D0AB63CCB8EA3C02D6F0B9C43FA7F34ABDAA5DFBA1505203826B5B1C77791F44F6E62FF6D3AD4958749AD7F1A3270104A4F5C16F9D16CFBB90952154324797402FE3A0B12F00D29517F2757069EFB294FF32F4DD6B94B37F2FC33224DC561CE8E19F0FFC3F87F8F95C426CEF4C2DB8858FB95CC91D0D183C4B3995D3D5E18ECDC03F33883346C18EBFAD26F838FB3A82990AB31A149603F3965BB9496203836145F210A2663E0A46B6571F08498A777202C7F0E448CAF9789C21198248B4D5B48922D345705743DCE7620CA948F92A30A517317FE8F0F4666C65F173924FF37D22FEF39B92A475ECD299D6B898FB27349A3C4D375DD0203010001"/>
       <pinnedCertificate publicKeyString = "3082010A0282010100ABE8BA0EE8B9677535BB0D52B737DC4CE9CE2BA215920421E0039A8312049A96B626A7BCEAC4A82CEBC02BE8B4DDA1DBD4DF9E04F81B5D4D65C19568A5F189B198C5F71BDEF47E2D9951C9CDC4F4EE68E64DE2CC75D57C5E474ED2675831B51BB643BBAA8481E712723496A2A644C1E17E117C0E77F28F0B52E0F22590242D6D8D8250F4CC98E2998E22B2BA3B3B585444E70D39C9D0CB07FF9AB14770B69C98F99C38F170DD5884AB0FE56B0C84FEEEFC3E9DCF0960AE86C3714472B24BFD0AABDCEBC80560704B56BD4C5D987912C8B9CD1CB418B14B88C0DAB4013C979AA510A81FEE5AA27D00E223B5573AEA32BEC990B877F5E6945AA952416506A823C50203010001"/>    
       <pinnedCertificate publicKeyString = "3082010A0282010100E8C51BC558BFEB631F15957DF81CB0EA4FBE1972C292263F8CFBD457CEE88C344183703EFB179CF760AC7CA31C8A2F2CEBE56D58B55DBAFFBBAF11F8DE1504BE4138C7F4A29413E4921A25124E6D3E5E3B947E09EBD71FF9A4EBBC1002407F23C158A89E150D4AF29B837CE41F6A4E7B72550C7E8A64531746CC268A5A23E9439321983D33312EDF850D39DAAA314663404468CE10D4D1478AE2B7F05362D1996BD6904BCEA77B6B7F8CD6AF6D123C21F441A81FC72002997DA56F3897105E404DEB7947799739847DBCB1310410316BC8050E6712E6453546058ABE312344FABEA20C912B482B832D6FEF236ABFB62AC3DEE3069F0ED48FAA18BA4BC22B44FF0203010001"/>
       <pinnedCertificate publicKeyString = "3082020A0282020100D6CA6A826F404E5D2A6CD9145ACCACA147F5D648903DB8108DEE5B3DEC980F7FD4CFC2D2376A43B088AEA7CB556666D146525597A0CE4D80998DDF867E6D20768F47A44FD9E69893F251A6A95324319F2E86634E68611A9FB9367A7F7980E36102F51F1D847FF9D42D2286F4064E58D61BB9FA3FB8E36B4A80C87EAFFAC2693B7016344430636F4BE111BCDF6191E4EA80707B1BF300A9954750435974DE3DBC3925FD89299B44C9585739A5E79561D636B4C0518CE4B7940783CBA9CCA4584F2909C85797E4FCDDAC2A4161A80D8BF5FD32A04CEAC0B3B0EFEB30D6B20D51A7F9D8663A1C84532BA582B09A47FE6E0E699BA8F2DEF8B16C938F41B549F2B134008B74BE6FE2FC80B9041E2A20D3955839BA87E5C0871EA1E5EC1DE139E88BFEE673D4D9DFFFB600943C52DA51D2ABCAA3E335FD4018F3B1F2348FB38723E27B2AA308037E26FB25EDCCCAB481E28F1D0236172C2D32A5D76FB3BDBD32A6AF5C3F32F791210FFA2209783F344EA72F090AF4C834DCF4AE212CFBCB4D86796F4F2A36504027A64026B358F0EFC9B2F618AD2D7DA0C7183DED132E9D654AA082A24BF5DC02B407C647144652E58DB2F4202CBAE0F6D604D3AEFBECAB9839AE3253AC70AF6BDF0184CF286730261F3C69628268947AA34CC3F7B39D76AB5624E8F770E9AFA82083FD37DC0C77DA2ABD862A866FD3FC2B4CF79C76F21B601975C2990203010001"/>
       <pinnedCertificate publicKeyString = "3082010A0282010100A6B456F6985D4396DC6EBD078FF10DD675CA33518DC1F8290881BB864191014FF77D88C0B3DA28C87FBBEFB6CDCA5376885DBD808704393E76A801B331F62D41CE570B08B51E2DD3764B76D796036CF81375069D3B7C8D406EE6864C0AA86FC87A9216D3ECD4ADB0ECAFE4751D66828E7C5D96FEB66713B88FD7DB139911C7B3836DE0245CB782BAC7356DBAEC66940D19D1BB4E997C27347BC9A4BA0D958D9DC4C204BAA829A4EA9B658A543ACBDD5AE21A1B3D755FEA1633DDC53D0A83992B218ACE3A77EA3368FC0CA2A204113988D94C37C18CB07BF04E53A3387293FF9D2B1F140B2B12F722DEB316AEBF058D8BC9DC29D0517D62E9B9C40523A4A406730203010001"/>
       <pinnedCertificate publicKeyString = "3082010A0282010100D830F1761B2C0D17F6B523028C47125D3C757EC1DB087C3EC5407E3748A576BAF279AEA34C9620D9B3B9F17574335AF64103F9B0792B283346959AD7A9A068108141D63F465E355E06F59BC4C11FD5267CE987A60F7169AF4CBF1C314A757EE5A910ABF4A2FE32208486DCEE065CCD22DD7DC945907D086BADAF0D438F6954369A99BE2FBFA23E18395CCC2D78BE79A5F0416AFD7A75173A8BAB6680B6265C0850B4313D1D5CE906BB80CFAB2F97479479D3960F98763E409AE8DFFD6125ADBAE662D935FA37A05F52C3692FC53BB467B092758AA5ACF7B0D0266A1393465D63422753F7562621508C9DA4ED1D5EC7FB75A46B5FA73EEB59B8921161D20BE1E70203010001"/>
       <pinnedCertificate publicKeyString = "3082010A02820101009C64C66879FAC4590F370145026DE17F7352D07292641C656E608DAFB0D15A8A317E1FC07145E5B9972FC8ECD101881A2100E8277EA7FE15A12083DDFAB232D6137D25F8FB4784ED6EEEE1BFF222F31F256A89D5D1059B1D766B69EEB1FB8A89084B96E15E1C449223E04341D5CF06B32376C3D4DFB74BF2778D99DC56926C6690AFD0313D8C982ACFF6AB3B8B5615C17AEA3740559572E46C2F7CCD915680D1493965D2927448F98CD77B387C1E05F5560C0902E96E6A7B0291EBA95BA1004A6B397F9838C0219357A96DDFD80C178B08FFA11FB04FA4B4D7F4FF486C493F3E971445F90B4C57F07917365518EE66995486A9BCF4C24E2A5844D70DC0EB0C770203010001"/>
       <pinnedCertificate publicKeyString = "3082010A0282010100F0E8684259D1D867F3AC43D3B6F8F70107400CB8FCD6E99FB180A98A5696E2B0B46CD2A9B13BE096C6A3878C50A6BFD9F8CFF29DE30679A132E0358EBE308ACFEFF09BFADCD7A9CD13BFD92A17F85D5C5434A2ABE625CCAEFB8656191DB88978E17D53F5708E12F2ADD666E8CBB6E2D423CCD18004C936843E547DA6422F169FE3AF843BED7597A1672FDB43B0B126FA09F3AAB2480FA157DE8A361CC4CA6FDFBFD1B3BCBA4E089C974C7BA20E69262600C615E97048FBDC600AE42E6476A30D9E17904A8F9AF327184937FC7B5EA3910C0EF0954FEDB233300A5AC559C62F1B79CA0EDCD17F2FE0025D66C7890800788D47BA379C7B7494F53B14900DDD0AED0203010001"/>
       <pinnedCertificate publicKeyString = "3082010a028201010095accf21b6f1253276d7dcffa4282030fc8ff2d7264a170e256a661c060fce354e49e66067212f11e7e5088cab1ac5dbc7487f955e6f6b754e093ec4daf23cc8b7f9534b1b349b999c5c0f0211169a1894922c6599e5cca55e72ab345a17bd308d9aa92b3e28dc4d3aa02ef2995319d6ad21874b67174b3c4c83a090010b68ec291af2c39f5cc936e9b3d074571990362a5f17224eb726bdb447c616ad67011cb63187aa2f4c987e4c12ef866f57f5e2b66dac0f2c0fd09d767207a3f5a0b75f525423dcfbcf846eee3d43e862c7cbbe5e2c0cf17b07a023bdb5b5c1dd5df9e4aeb02e34f45ae63c8ed2a8a20e37b0b9f09c35d26e4ba83556d012ed174671a50203010001"/>
       <pinnedCertificate publicKeyString = "3082010A0282010100CD1D614F28FCF80CED2ECC24792BB704B350CC065F3B564803834A8C038A7A3E8909ED43257848EFFD2168DFA26246B4346CAD99640143BC43D3EC9FA1A675FA0C6E45149D73C02DE13FEFAA8080C8035E0141DEF9AFD1472A962C168C33F04AC4A41D906E7200C5ED7D306E7A30FEEDE477F2216E9E56A840BB76FFC2A5D3C6DDD0ED435DE1CBAF3A058CBE2D224F6B11DC83EEF5248A0C878CE52753950655387C976A6641F0EA68729420C5596664905B3CE2E30F875798672B94D425F3F053CA8760833DED550175FBE1EAB2B7F8EE2515FE4895E4BE194ACF9220B50F08502078EDDBAA5303A1B70178D0D70BD8DC1B8AE5EB3F250A7DA49D1F91A3A0710203010001"/>
   </pinnedCertificates>

4. Save Web.config and ReSubscriptionMechanism.config files
5. Restart the AirWatch Resubscription Mechanism service in the Services Tab
   

More information can be found in our documentation: Troubleshooting SSL Errors.