SCCM Client Push selecting wrong certificate

Question

Hello. I had one primary site server running 1903 set up using site code "S01". I have just migrated the data from the 1903 site on 2012 R2 to a 2103 site "S02" on a 2019 server. Also, I have upgraded the certificate server from SHA1 to SHA2 recently. After migrating and setting complete we have done a client push to three domains, two of them which are in the same forest have done the client push successfully but the remaining domain which is in a different forest with forest trust is still using the SHA1 certificate to do the client push and thus unable to install the client on the member machines in that domain. After deleting the SHA1 certificate on the targeted machine, the client push was successful but it failed again after adding the SHA1 certificate back. We are not able to delete the SHA1 certificate just yet so I'd like to ask how can I force the SCCM client to use the SHA2 certificate for client push and make the client push work? Thanks.

Answer 1

@Jack Chow

Thanks for posting in Microsoft Q&A forum.

The certificate selection will follow the criteria specified on the site settings.

We may be able to configure the "Client certificate selection criteria when more than one certificate is available" in the site setting to manage the certificate selection.

We can go through this path: CM console > Administration > Site Configuration > Sites > right-click the site and choose Properties > select Communication Security tab.
And then, modifiy the Client certificate selection Settings.
For example, as shown in the image below, we are able to set the subject of the selected certificate must contain a string unique to SHA2.

Hope the above information is helpful to you.

---

If the response is helpful, please click "Accept Answer"and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.