This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 75%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
hi guys, i have just installed SCOM 2019 fresh. while trying to download management pack
i am getting security certificate issue. the server behind a proxy but it doesn't need a proxy configuration detail as all the traffic are captured irrespective of proxy setting mentioned. i can still click continue and proceed. but would like to resolve this pop error message. the root certificate is already imported by default. but still the error is not resolved. your help is appreciated.
Hi,
Like the error message states, I would verify that:
What actually happens is when downloading the management packs from the Operations Console, is SCOM is performing a web service call to the following URL:
https://www.microsoft.com/mpdownload/ManagementPackCatalogWebService.asmx
The web site can be behind many IP addresses, more information mentioned here:
https://www.catapultsystems.com/blogs/tips-and-tricks-opsmgr-2012-sp1-what-web-service-url-ip-and-ports-does-the-management-pack-catalog-web-service-call/
If the certificate is fine and trusted, you could try setting the web service URL as a trusted site in Internet Explorer.
(If the reply was helpful please don't forget to upvote or accept as answer, thank you)
Best regards,
Leon
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Saravanan Balasubramanian For our issue, please check the port 443 is open. Secondly, please make sure the following URL must be allowed by your firewall - https://www.microsoft.com/mpdownload/ManagementPackCatalogWebService.asmx
We can see more details in the following link:
https://learn.microsoft.com/en-us/system-center/scom/plan-security-config-firewall?view=sc-om-2019
After researching, I find a similar issue with us. we can try the suggestions in the following link to see if our issue can be fixed:
https://social.technet.microsoft.com/Forums/systemcenter/en-US/79b0640c-1b1a-4252-9b68-c5ff08fa2a01/security-certificate-problem?forum=operationsmanagergeneral
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Saravanan Balasubramanian How are things going? I am writing to see if the suggestion is tried. If there's any update, feel free to let us know.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 31%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
I would say your company's proxy is doing Deep Packet Inspection, which requires it to replace the original MS certificate by one created for the Proxy.
This is likely what you are witnessing here.
So maybe you didn't properly import the root cert, or maybe MS implemented some kind of additional security such as Certificate Pining which will prevent SCOM from trusting the certificate even if you imported the proxy's root cert.
What I would do here is ask the proxy admin to allow outbound queries to that URL without inspecting them...