Change IIS binding MEMCM management point from 3rd party cert (eHTTP)

Question

Previously in v2006 i bound a third party cert to the MP IIS so that i could test bitlocker. My MP is remote from the site server.

Since ive now upgraded to v2111 I had to enable eHTTP. My 3rd Party cert expires soon, and the documentation saysit uses the "SMS Role SSL Certificate" (but obviously didnt replace the current 3rd party cert) but i only have the "SMS Token Signing Certificate" available- do i need to export the "SMS Role SSL Certificate" from the site server and import into my MP- and if so what stores?
(The Token signing cert is located in Trusted People and Person stores on the MP)

Also, this article here: https://www.prajwaldesai.com/enable-sccm-enhanced-http-configuration/ states that i want to add it into my trusted root cert store- is this required to do this? and if so is this on the site server?
Do i need to distribute any of these certs to clients at all? Apologies- a little confused- Will be starting testing bitlocker again (MBAM migration) soon so wanted to check everything was ok and eHTTP is still working ok (what logs can i check once i change the cert?)

Many Thanks

Answer 1

Hi @JG ，

Thanks for your update.

Please change the environment to http, and in the option of cert binding, kindly select 'not selected', wait a moment, and then use eHTTP, and check if the certificate is normal in site server and MP.

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi,

Based on this article from Microsoft, the certificate is automatically generated, which named SMS Role SSL certificate, we could go to the Administration workspace, expand Security, and select the Certificates node. Look for the SMS Issuing root certificate and the site server role certificates issued by the SMS Issuing root, please check the name is SMS Role SSL certificate or SMS token signing certificate.

And wait up to 30 minutes for the management point to receive and configure the new certificate from the site, so if the certificate is normal, it is not required to import into the MP.

Do i need to distribute any of these certs to clients at all?

--> Based on my experience, we need not to distribute these certs.

About the logs, we could check MPcontrol.log and ADALOperationProvider.log.

Here is the related article we could refer to:
https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/enhanced-http#configure-the-site

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

Hi Amanda,

Thanks. There are two SMS issuing certificates in the admin console, but neither of the other certs (SSL Role or Token Signing) appear there

the SMS Role SSL cert only appears on the site server
site server

the SMS Token signing cert only appears on the remote MP
mp

I updated the site a few weeks ago to v2111 and i think the issue might be that i already had a cert bound to IIS on the MP.
So, i'm stil confused which cert to use- do i import the SSL Role cert into the MP for binding in IIS or us ethe SMS token signing cert?

Thanks

Answer 4

Hi Amanda,

Thanks. Initially when i enabled eHTTP, there was no "SMS Token Signing Certificate" there, that appeared later (FYI)

What impact does this have on clients etc?
I will need to put in a change request for this and am actually on holiday for a week, so will get back to you on the result. Thanks