Clients not getting self singed certs

[TeachMeSCCM]

I have it set to the SMS Cert

On Both

 

 

You can see it gets the SMS cert

But it does the Regtask forever and never registers the client so it installs and shows Client Certificate None.

Edited September 17, 2021 by TeachMeSCCM

[SCCMentor]

Do you have a cert called SMS Role SSL Certificate? This is generated by when enabling eHTTP and is automatically bound to IIS. If you were running full PKI previously it's possible that hasn't been set (I've seen this happen before where the SMS Role SSL Cert doesn't get generated due to an old PKI cert)

 

 

Check for the cert in your certlm.msc console on the server running the MP

Note also that the errors you have in the clientidmanagerstartup and cert maintenance logs - I get these also in my eHTTP site. 

I've noticed that the ConfigMgr applet doesn't have all the tabs and that the clientidmanager log still reports are registration pending. Does the client complete registration? Hard to know when we are working off screenshots.

Cheers

 

[TeachMeSCCM]

So I only have this on my 2ed host my 1st main host does not have this.

^^THIS IS MY 02

 

When I select it I get this message. I don't get any other messages with my other certs and yes I did try to get PKI to work but was not able to.

 

 

 Does the client complete registration? Hard to know when we are working off screenshots.

Yes it shows up in my SCCM console but shows Client None.

 

 

^^This is my 01

I had created these PKI and ISS in the past by importing them for the MMC; this is on me I was trying to fix this on my own; I still trying to figure out how to get this right. Thanks so much for all the help so far. I really appreciate it.

Edited September 17, 2021 by TeachMeSCCM

[SCCMentor]

OK this will be potentially the problem then. 

So remove eHTTP by unchecking the box. 

Set the IIS SSL cert to 'Not selected'

Keep an eye on the sitecomp and mpcontrol logs and ensure they complete removing eHTTP - just watch them until they stop churning over.

Reenable the check box.

Watch the sitecomp log again, keep an eye out for 'Detected change in SSLState for client settings'

Then check back in certlm.msc for the SMS Role SSL Certificate cert in the personal store and then see if it's bound to IIS.

At that point, restart the ccmexec services on the endpoint and see what clientidmanagerstartup log does. Does it get an 'Retrieved Certificate options successfully' entry and then check for cert?

 

[TeachMeSCCM]

@SCCMentor

Those screen shots are so helpful! 

I went in and found that SMS cert I needed I went I added it to the IIS and I have been manually adding them in. I can see this is not the way.

I thought as much as there is no documentation on it 

 

How can I Set the IIS SSL cert to 'Not selected' can I just delete it for now?

[SCCMentor]

From the list of certs in the IIS binding 

 

[SCCMentor]

 

 

[TeachMeSCCM]

It won't let me check OK it's grayed out

 

My 02

It makes me have to pick a cert; I was trying to import the cert but this wasn't working for me; makes sense as SCCM is said to create a SMS Role SSL certificate and that isn't happening 

I am doing what you said Above what I did was delete it for now. I'll re add it once it's created I guess.

Edited September 17, 2021 by TeachMeSCCM

[TeachMeSCCM]

I did that; is this normal?

[SCCMentor]

Yes that's the cert. Was it generated by Configmgr or did you copy it from the other box?