Hi,
Based on this article from Microsoft, the certificate is automatically generated, which named SMS Role SSL certificate, we could go to the Administration workspace, expand Security, and select the Certificates node. Look for the SMS Issuing root certificate and the site server role certificates issued by the SMS Issuing root, please check the name is SMS Role SSL certificate or SMS token signing certificate.
And wait up to 30 minutes for the management point to receive and configure the new certificate from the site, so if the certificate is normal, it is not required to import into the MP.
Do i need to distribute any of these certs to clients at all?
--> Based on my experience, we need not to distribute these certs.
About the logs, we could check MPcontrol.log and ADALOperationProvider.log.
Here is the related article we could refer to:
https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/enhanced-http#configure-the-site
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.