Skip to main content
Question

Cert Config Profile failing "Unable to decrypt encrypted profile"

  • November 20, 2025
  • 4 replies
  • 48 views
SMR1
Forum|alt.badge.img+13
  • SMR1
  • Valued Contributor

We've had an issue twice in the last 2 months, where our wifi configuration profile that installs our certs fails to install. We get the following error "Install Configuration Profile Prod Wi-Fi Unable to decrypt encrypted profile" when desktop enrolls a mac. Everything else installs correctly with no issues. When we originally had this issue back in August, we had to add the new jamf IP's to the firewall and it that fixed it. We worked with out networking guys yeserday and they couldn't see anythin. The issue only last a day and it goes back to working.  It broke on 11/19 9:30a and started working on 11/20 6a. Very weird issue. I opened a ticket with jamf.

    4 replies

    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • November 20, 2025

    @SMR1 Are you using the AD CS or Jamf PKI Proxy proxies to provide a certificate for that Configuration Profile? If so check the proxy logs and see if there’s a corresponding error. The “failed to decrypt” message usually indicates that the certificate request timed out without receiving a response and there was no certificate to inject into the profile. 

    garyfraga255
    • garyfraga255
    • Visitor
    • November 21, 2025

    We've had an issue twice in the last 2 months, where our wifi configuration profile that installs our certs fails to install. We get the following error "Install Configuration Profile Prod Wi-Fi Unable to decrypt encrypted profile" when desktop enrolls a mac. Everything else installs correctly with no issues. When we originally had this issue back in August, we had to add the new jamf IP's to the firewall and it that fixed it. We worked with out networking guys yeserday and they couldn't see anythin. The issue only last a day and it goes back to working.  It broke on 11/19 9:30a and started working on 11/20 6a. Very weird issue. I opened a ticket with jamf.

    Hello ​@SMR1,
    It looks like an intermittent network or certificate delivery issue—since other profiles install fine, check firewall/IP allowlists and certificate trust chain; opening a Jamf ticket was the right move.

    Best Regards,
    Gary Fraga 
     !--startfragment>

    !--endfragment>

    SMR1
    Forum|alt.badge.img+13
    • SMR1
    • Author
    • Valued Contributor
    • November 21, 2025

    @sdagley ​@garyfraga255  We’re usign ADCS cert in our profile. All the IP’s are allowed. Our networking guys couldn’t see anything concerning on the firewall during the time frame it happened. Jamf is still checking stuff but they did provide this error from the server logs. We also have policy that was running more then usual and the server also had high CPU usage.

    2025-11-19T15:51:11,763 [ERROR] [-Pki-Pool-2] [ertificatePayloadInjector] - [JPROCERTS] Failed to get PKI payload certificate
    com.jamfsoftware.jss.core.service.certapi.CertificateRequestServiceException: Problem requesting certificate from ADCS
    ...
    Caused by: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://ourserver/api/v1/certificate/request": Read timed out

    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • November 21, 2025

    @SMR1 Look at the logs on your ADCS proxy, and the AD CS server itself to see if there were requests with errors matching the timestamp in your Jamf Pro server logs.

    Terms & ConditionsCookie settingsAccessibility statement