Hi @jeanne laird , From your description, it seems you are configuring a software update point to use TLS/SSL with a PKI certificate. we request web server certificate for Configuration manager used to encrypt data and authenticate the server to client. We also use GPO to auto enroll the client certificate for windows computers which is used to authenticate Configuration Manager client computers to site systems. After the client certificate is installed, we get the 0x800b0109 error which indicates the root CA certificate is not installed on these clients. If there’s any misunderstanding, feel free to let us know.
In fact, to make the client certificate work, the CA certificate is also needed to install on the windows client computer to ensure the client certificate is published via a trusted CA. For example, if there’s only one Enterprise Root CA in your environment, we need to install the Root CA certificate to “Trusted Root Certification Authorities” store. If there’s any intermediate CA in your environment as well, we also need to install these CA certificate into “Intermediate Certification Authorities” store. (The following is a certificate published from a PKI environment with two CAs)
I notice you have resolved the error by manually installing the Root CA certificate into the “Trusted Root Certification Authorities” store. It seems our environment is only with one Enterprise Root CA. Then we just need to install this one on all the windows clients.
To deploy the Root CA certificate to some windows client devices, we can do it via GPO. We can configure a GPO, set Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies, right-click Trusted Root Certification Authorities, import the Root CA certificate. Then link the GPO to the OU or the domain the devices belongs to. Here is a link with the detailed steps to configure the GPO for your reference:
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policy
Meanwhile, I notice you have question with duplicate CA certificate. Based as I know, the Root CA certificate we export via Client computer or Root CA is the same. So I think import multi times will not have any impact.
In addition, to know more about PKI certificate, here is a link you can read to get more information.
https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/network/example-deployment-of-pki-certificates#BKMK_overview2008
Hope the above information can help.
Best regards,
Cherry
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.