GetSSLCertificateContext failed with error 0x87d00283 | Certificate [Thumbprint xxxxx] issued doesn't have private key or ca

[surfincow]

Hello,

 

Having yet another strange thing popup with the new ConfigMgr.

 

This appears to be a new issue that hasn't always been there. I had previously installed the client on a few machines without any problem. Now, I'm consistently finding any machine I try to install the client on receiving this error: Certificate [Thumbprint xxxxx] issued to 'computername.domain' doesn't have private key or caller doesn't have access to private key.

 

I've found a few topics on this:

-https://www.windows-noob.com/forums/topic/6607-ccmsetup-failed-with-error-code-0x87d00283/

-https://www.bibble-it.com/2012/10/14/sccm-2012-client-deployment-fails-in-https-mode

 

There are more, but these two seem the most relevant. The 1st link looks like it deals more with Windows XP but I went ahead and checked the permissions on the keys and there are no permission issues. System and administrators have full control.

 

I'm pretty much stuck and don't have any idea what might have caused this. The installation is all https so certificates must work.

 

Here is the section of the logs where the errors are shown:

 

The 'Certificate Selection Criteria' was not specified, counting number of certificates present in 'MY' store of 'Local Computer'. 3/18/2016 11:12:11 AM 8816 (0x2270)
1 certificate(s) found in the 'MY' certificate store. 3/18/2016 11:12:11 AM 8816 (0x2270)
Only one certificate present in the certificate store. 3/18/2016 11:12:11 AM 8816 (0x2270)
Begin validation of Certificate [Thumbprint xxxxx] issued to 'computername.domain' 3/18/2016 11:12:11 AM 8816 (0x2270)
Certificate [Thumbprint xxxxx] issued to 'computername.domain' doesn't have private key or caller doesn't have access to private key. 3/18/2016 11:12:11 AM 8816 (0x2270)
Completed validation of Certificate [Thumbprint xxxxx] issued to 'computername.domain' 3/18/2016 11:12:11 AM 8816 (0x2270)
GetSSLCertificateContext failed with error 0x87d00283 3/18/2016 11:12:11 AM 8816 (0x2270)
GetHttpRequestObjects failed for verb: 'GET', url: 'https://configmgr.domain/CCM_Client/ccmsetup.cab' 3/18/2016 11:12:11 AM 8816 (0x2270)
DownloadFileByWinHTTP failed with error 0x87d00283 3/18/2016 11:12:11 AM 8816 (0x2270)
CcmSetup failed with error code 0x87d00283 3/18/2016 11:12:11 AM 10828 (0x2A4C)

 

 

I am able to browse to the https port on the configmgr server (2012R2).

 

Any thoughts where to begin troubleshooting? Clients are both windows 7 and 10.

 

 

 

Thanks

 

 

[surfincow]

OK I believe this is fixed. The problem was with the client authentication certificate template compatibility set to 2008 rather than 2003.

 

We just did a PKI upgrade and the original templates were to be copied "as is" to the new CA, so I had assumed this had been done. After further checking I noticed this was not the case. When the client registration was working using PKI it was actually using the old client authentication certificate from the old CA rather than the new since it was unable to view the private key. When I tried to install the client on brand new machines (that did not have the old CA client auth. certificate) it failed.

 

After re-creating the template with the correct compatibility this problem has gone away.

 

 

Thanks!