Jump to content


TeachMeSCCM

Clients not getting self singed certs

Recommended Posts

Do you have a cert called SMS Role SSL Certificate? This is generated by when enabling eHTTP and is automatically bound to IIS. If you were running full PKI previously it's possible that hasn't been set (I've seen this happen before where the SMS Role SSL Cert doesn't get generated due to an old PKI cert)

 

image.png

image.png

image.png

 

Check for the cert in your certlm.msc console on the server running the MP

image.png

Note also that the errors you have in the clientidmanagerstartup and cert maintenance logs - I get these also in my eHTTP site. 

I've noticed that the ConfigMgr applet doesn't have all the tabs and that the clientidmanager log still reports are registration pending. Does the client complete registration? Hard to know when we are working off screenshots.

Cheers

 

Share this post


Link to post
Share on other sites

So I only have this on my 2ed host my 1st main host does not have this.

image.png.e7d6ecab53e5c6f8ec16bdb80ebeca87.png

^^THIS IS MY 02

 

When I select it I get this message. I don't get any other messages with my other certs and yes I did try to get PKI to work but was not able to.

 

 

 Does the client complete registration? Hard to know when we are working off screenshots.

Yes it shows up in my SCCM console but shows Client None.

 

 

image.png.adeade9b11b14d24b169d1bff2c04a62.png

^^This is my 01

I had created these PKI and ISS in the past by importing them for the MMC; this is on me I was trying to fix this on my own; I still trying to figure out how to get this right. Thanks so much for all the help so far. I really appreciate it.

Edited by TeachMeSCCM

Share this post


Link to post
Share on other sites

OK this will be potentially the problem then. 

So remove eHTTP by unchecking the box. 

image.png

Set the IIS SSL cert to 'Not selected'

Keep an eye on the sitecomp and mpcontrol logs and ensure they complete removing eHTTP - just watch them until they stop churning over.

Reenable the check box.

Watch the sitecomp log again, keep an eye out for 'Detected change in SSLState for client settings'

Then check back in certlm.msc for the SMS Role SSL Certificate cert in the personal store and then see if it's bound to IIS.

At that point, restart the ccmexec services on the endpoint and see what clientidmanagerstartup log does. Does it get an 'Retrieved Certificate options successfully' entry and then check for cert?

 

Share this post


Link to post
Share on other sites

@SCCMentor

Those screen shots are so helpful

I went in and found that SMS cert I needed I went I added it to the IIS and I have been manually adding them in. I can see this is not the way.

I thought as much as there is no documentation on it 

 

How can I Set the IIS SSL cert to 'Not selected' can I just delete it for now?

Share this post


Link to post
Share on other sites

It won't let me check OK it's grayed out

image.png.e23b310c1ea61fb5b221f83f3cb9dbbd.png

 

My 02

image.png.7a47aeb9907102c8971ed4453b3e002b.png

It makes me have to pick a cert; I was trying to import the cert but this wasn't working for me; makes sense as SCCM is said to create a SMS Role SSL certificate and that isn't happening 

I am doing what you said Above what I did was delete it for now. I'll re add it once it's created I guess.

Edited by TeachMeSCCM

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.