locked
Need to add sha256 root certificate to client computer communication properties RRS feed

  • Question

  • So we've upgraded our pki infrastructure to support both sha1 and sha256 to manage the transition from sha1 to sha256.  Most AD joined computers of course are still using sha1 but when they auto update over the next year they will be issued a sha256 certificate to meet the January 2017 sha1 depreciation deadline.

    In the server MP_RegistrationManager.log I get

    MP Reg: Client in-band certificate is not valid due to failures in certificate chain validation, Raising status event. Failure HR = 0x800b0109, In-band Cert SubjectName = xxx

    and on the client ClientIDManagerStartup.log

    [RegTask] - Server rejected registration request: 3

    When I try to add the new root cert to administration - site configuration - sites - primary site - client computer communication properties it *replaces* the sha1 cert with the sha256 cert.  I need both root certs to be there

    Thanks

    David

    Friday, December 4, 2015 9:40 AM

Answers

All replies

  • Do I undertsand correctly that now You have two issuing CAs (the old with sha1 and new with sha256)?

    In that case You can add both CAs as trusted in "client communication properties" page, in the bottom part there is option for this.

    Friday, December 4, 2015 11:32 AM
  • The root CA renewed its certificate (ok this wasn't a requirement since root CA sha1 certs are trusted in any case) but now the single root CA has two active certs -one sha1 and one sha256.  So is the issue that SCCM can't host two certs from the same root CA?

    So two cert chains:

    <rootCAsha1> - <subCAsha1> - <clientsha1> - currently used but will dwindle over time

    <rootCAsha256> - <subCAsha256> - <clientsha256> - all new certs will be issued under this chain

    Friday, December 4, 2015 11:40 AM
  • I didn't find a way to import one CA with different hash algorithms.

    I think omitting trusted CAs is not recommended because all CAs are automatically trusted, but it should work for you.

    • Marked as answer by David b111 Friday, December 4, 2015 5:07 PM
    Friday, December 4, 2015 1:14 PM
  • 0x800b0109 = "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider."

    At this point, this has nothing to do with ConfigMgr -- this is a trust issue. Whichever cert is being picked is not trusted by the system trying to use the cert. This could be for a couple of different reasons including the root CA not being trusted or the CRL not being available. You'll have to identify the cert being picked and then troubleshoot why its not trusted.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Friday, December 4, 2015 1:54 PM