Renewing CA certificate in our SCCM enviroment RRS feed

  • Question

  • Our company will be renewing our Root and Sub CA certificates.  I have PKI implemented in our SCCM environment, and I am looking for info on what is needed to do when the certs are renewed.  The clients are set to automatically renew, so they should not be a problem.  My concerns is with my SCCM Servers (CAS and 2 Primarys) and distribution sites (several dozen) what will all be needed here?  As when they were set up I had to configure IIS to use the cert, and had to export it, so I could apply it when setting up the distribution site.  Do I need to repeat all these settings once the servers have the re-newed Cert?
    Tuesday, November 17, 2015 2:19 PM


  • You should also renew all of the certs for the site systems and ensure this renewed cert is configured in IIS for them. There's nothing to configure in ConfigMgr itself except adding the renewed cert for the Root CA to the site's settings (on the Client Communication tab) -- assuming that you are using a Microsoft Enterprise PKI that will handle publishing the new CA certs as trusted all systems in your environment.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Proposed as answer by Garth JonesMVP Saturday, December 5, 2015 3:56 PM
    • Marked as answer by Frank Dong Monday, December 7, 2015 1:51 AM
    Tuesday, November 17, 2015 2:31 PM