We help IT Professionals succeed at work.

SCCM clients unable to connect since new RootCA created

We recently dealt with an expiring certificate for a SubCA and the original offline RootCA was no longer available. We managed to create a new offline RootCA and use it to get the SubCA a new SubCA certificate. Since doing this, however, our SCCM hasn't been working properly. When looking at the list of Devices, all of them are shown as grey with an X; client activity shows as inactive and the last update was 7-10 days ago. Any help would be appreciated!
Comment
Watch Question

Alexander InsleySenior Network & Systems Tech

Author

Commented:
I have also discovered that 2 certificates (under SCCM -> Administration -> Security -> Certificates) are expired and they are types Distribution Point and Boot Media. Could this be causing the issue?
David Johnson, CDSimple Geek from the '70s
Distinguished Expert 2019

Commented:
yes, since you built a new root ca all of the issued certificates are invalid you have to reissue all certificates. Did you also update your group policy to reflect the new root ca key?
Alexander InsleySenior Network & Systems Tech

Author

Commented:
1) how do I reissue all certificates?
2) the GPO was not updated; which GPO do I modify?
Simple Geek from the '70s
Distinguished Expert 2019
Commented:
n order to establish a chain of trust for your PKI environment, you identify the copy of the CA you just created as a trust anchor.
To establish the CA as a trust anchor, add the root certificate for the CA to the Trusted Root Certification Authorities container in the group policy object that defines the IP Security policies.
To add a trusted root certificate to the group policy object:
Open the Certificates (MMC) snap-in.
If the Certificates snap-in is not available, you can run MMC and click File > Add/Remove Snap-in to add it.
Select Computer account, and click Next.
Select Local computer, then click Next.
Click Certificates > Trusted Root Certification Authorities > Certificates.
Select the root certificate generated by the CA you created in the previous procedure, then double-click it to see its Properties page.
Click the Details tab; then click Copy to file to start the Certificate Export Wizard. In the wizard, make the following selections:
●File format: DER encoded binary X.509 (.CER)
●File Name: Anywhere on the local server
●Include all certificates in the certification path: No
Open the Group Policy Object Editor and select the group policy object that defines the IP Security policies.
Click Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities.
8Select Trusted Root Certification Authorities, right click, and select Import to open the Certificate Import Wizard.
Click Next on the Welcome screen.
Browse to find the root certificate you copied in Step 6, then click to accept the default values on each screen.
Click Finish to complete the wizard.
Alexander InsleySenior Network & Systems Tech

Author

Commented:
David,

Thank you for the detailed steps! We'll start there and check in to let you know how it is going.

Also, we found this article: https://www.prajwaldesai.com/deploy-pki-certificates-for-sccm-2012-r2/

Does this assist our efforts?

          Alex
David Johnson, CDSimple Geek from the '70s
Distinguished Expert 2019

Commented:
It has a lot of good information.. Knowledge is Power.
Alexander InsleySenior Network & Systems Tech

Author

Commented:
David,

I did find that the old Root CA cert was in the default domain policy so I successfully imported the new one into the same policy. What's next?

           Alex
David Johnson, CDSimple Geek from the '70s
Distinguished Expert 2019

Commented:
wait for the servers/clients to get their new certificate (is it set to auto-enroll in the template?
Alexander InsleySenior Network & Systems Tech

Author

Commented:
do you mean is the template used to create the Root CA set to auto-enroll?

On another note, it appears that all of the new certificates I am creating from the Sub CA (Enterprise CA) are using SHA-1. I am having trouble determining the correct steps to make it so that all new certificates created from the SubCA use SHA256 (it appears that the Root CA certificate does use SHA256). Any tips?
David Johnson, CDSimple Geek from the '70s
Distinguished Expert 2019

Commented:

create a new template that is SHA256

Alexander InsleySenior Network & Systems Tech

Author

Commented:
well, it looks like I don't need to worry about this at the moment; I think I have client communication working, even though the client certificates are using SHA-1.

As a solution to the SHA256 question, I am strongly considering just setting up a new AD integrated CA server and decomissioning the existing offline Root CA and SubCA. A previous engineer, that is no longer here, set this up and left no documentation on how to support it; I also believe it is overkill for our environment.

Do you foresee any issues with doing this? If not, is there an accepted practice on how to do this?

                   Alex
Alexander InsleySenior Network & Systems Tech

Author

Commented:
Thank you for your assistance!