SMS Enrollment failed to read certificate RRS feed

  • Question

  • Trying to configure certificates on SCCM 2012 (1606) and finding the except below in my CertMgr.Log. None of my clients are currently talking, and while I'm able to install new agents, they do not register. I followed the guides on technet, and went back through my steps with the guide from prajwaldesai.com, but I'm not finding the culprit. IIS has the intranet SSL cert configured and it shows a 'happy' encryption config when I test it via IE. Any thoughts?

    Log Excerpt:

    Updated the certificate in the database 3  $$<SMS_CERTIFICATE_MANAGER><01-30-2017 08:25:39.987+480><thread=6128 (0x17F0)>
    InitializeMPCertificate() - Successfully Handled signing cert (SysResUseID = 3) update or insert.  $$<SMS_CERTIFICATE_MANAGER><01-30-2017 08:25:39.994+480><thread=6128 (0x17F0)>
    servers will be polled in 82 seconds...  $$<SMS_CERTIFICATE_MANAGER><01-30-2017 08:25:40.003+480><thread=6128 (0x17F0)>
    Detected a change to the "F:\Program Files\Microsoft Configuration Manager\inboxes\certmgr.box" directory.  $$<SMS_CERTIFICATE_MANAGER><01-30-2017 08:25:41.728+480><thread=6128 (0x17F0)>
    ~Found notification file F:\Program Files\Microsoft Configuration Manager\inboxes\certmgr.box\21_sccmSvr.hiddenname.org.CMN  $$<SMS_CERTIFICATE_MANAGER><01-30-2017 08:25:41.735+480><thread=6128 (0x17F0)>
    CertManagerUtility::SwapCertificates for role (SMS Enrollment Web Site) on server (sccmSvr.hiddenname.org)  $$<SMS_CERTIFICATE_MANAGER><01-30-2017 08:25:41.747+480><thread=6128 (0x17F0)>
    Found intranet FQDN (sccmSvr.hiddenname.org) of server (sccmSvr.hiddenname.org).  $$<SMS_CERTIFICATE_MANAGER><01-30-2017 08:25:41.758+480><thread=6128 (0x17F0)>
    Failed to read certificate, will retry in 30 seconds.  $$<SMS_CERTIFICATE_MANAGER><01-30-2017 08:25:41.765+480><thread=6128 (0x17F0)>
    Failed to read certificate, will retry in 30 seconds.  $$<SMS_CERTIFICATE_MANAGER><01-30-2017 08:26:11.772+480><thread=6128 (0x17F0)>

    Monday, January 30, 2017 4:40 PM

All replies

  • "Trying to configure certificates"

    Do you mean that you are trying to configure HTTPS client communication?

    What exactly have you done so far?

    What system exactly is the above log file from and what roles are on that system?

    Finally, "SCCM 2012 (1606)" makes no sense. 1606 is a build of SCCM/ConfigMgr Current Branch and has nothing to do with ConfigMgr/SCCM 2012.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Monday, January 30, 2017 6:48 PM