SCCM_CMG - Client Authentication not working from PKI Cert

Anmol Singh 1 Reputation point



SCCM CB v1910
Standalone Primary Site
One CMG Setup configuration completed and connection analyzer show everything OK.
On the Communication settings of the Primary Site, HTTP or HTTPS mode is selected as shown below.
Trusted Root Certification Authorities : The domain Root Cert is expired and it cannot be renewed so we have used Third Party PKI Root Cert which is present on the cert store of the test machines under the folder Trusted Root Certification Authorities. There is no intermediate cert for this Root Cert.

PS Communication Settings


Issue description:

While testing the HTTPSReadiness on our test machines, the HTTPSReadiness.log shows this:



It seems that the provided Third Party PKI Trusted Root Cert is parsed but it is not identified or picked by SCCM algorithm.
Similar log is written in ClientIDStartupManager.log.

Does anyone know why this cert is not picked by SCCM for authenticating client for HTTPS Readiness ?

Operations Manager
Operations Manager
A family of System Center products that provide infrastructure monitoring, help ensure the predictable performance and availability of vital applications, and offer comprehensive monitoring for datacenters and cloud, both private and public.
1,363 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. AlexZhu-MSFT 4,361 Reputation points Microsoft Vendor


    Thank you for the detailed description and the screenshots. For the CMG certificate, we may have something to check, for example, the purpose should contains server authentication, the service name, the deployment name, etc.

    For the requirement, we may read through this article.

    Here's also a nice video from former Sr PFE at Microsoft and we can follow this to check every single step to check if we miss anything.
    Note: this is just for your reference.

    Hope the above information helps.

    If the response is helpful, please click "Accept Answer" and upvote it.