On the PKI Client, upon successful enrolment or renewal, two default Post Processing Scripts are triggered:

• InstallCA.signed.bat

• RegisterFireFox.signed.bat
    

All Post Processing Scripts are signed by Magnum’s Policy Signer certificate to ensure none of them have been tampered with. If a profile is configured with any Post Processing Scripts, e.g., Outlook Configuration, these are triggered immediately after a successful certificate enrolment or renewal.

Whenever the Policy Signer certificate is renewed or changed, we might encounter errors while the post-processing scripts are being executed, as depicted in the screenshots below.
These errors do not impact the certificate installation process; the certificate installation in the keystore will proceed as intended. However, the post-processing steps will fail because of a signature mismatch.

We could not configure your certificate to support your online services. 
Contact your administrator for help. 
cAuth-SSP-PKIC-AD-14May2024
Error: 8 The post-processing script is invalid. 

We could not configure your certificate to support your online services. 
Contact your administrator for help. 
CAuth-ECode-PKIClient 
Error: 12 An error occurred during post-processing.
 

When the Policy Signer certificate is renewed or changed, we need to do the following:

• Update the post-processing scripts, which are configured on the MPKI8 profile level.
• Replace the default post-processing scripts located on the end user’s machine. These scripts are located on the end user’s machine where the PKI Client is installed.
  Example: “C:\Program Files (x86)\DigiCert\PKI Client\BERETTA“

The Magnum Policy Signer certificate was updated in our Production environment on 13th Aug 2025 PST; therefore, we need to follow the steps below:

1. For the default Post Processing scripts, we need to replace the script files, located in the same folder where the PKI client is installed, via GPO or any MDM solution.
   
   
   • The updated script files signed by the new Policy Signer:
     • InstallCA.signed.bat
     • RegisterFirefox.signed.bat
        
2. For the Custom Post Processing Scripts, which are configured at the Profile Level, the Magnum Admin has to re-upload the same script and associate the newly uploaded script with the target profiles.
   
   
   • The uploaded script file can be downloaded from the MPKI8 portal. The Admin needs to remove the lines, save it on their system, and upload the amended file again: