Alexander Insley
asked on
SCCM clients unable to connect since new RootCA created
We recently dealt with an expiring certificate for a SubCA and the original offline RootCA was no longer available. We managed to create a new offline RootCA and use it to get the SubCA a new SubCA certificate. Since doing this, however, our SCCM hasn't been working properly. When looking at the list of Devices, all of them are shown as grey with an X; client activity shows as inactive and the last update was 7-10 days ago. Any help would be appreciated!
yes, since you built a new root ca all of the issued certificates are invalid you have to reissue all certificates. Did you also update your group policy to reflect the new root ca key?
ASKER
1) how do I reissue all certificates?
2) the GPO was not updated; which GPO do I modify?
2) the GPO was not updated; which GPO do I modify?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
David,
Thank you for the detailed steps! We'll start there and check in to let you know how it is going.
Also, we found this article: https://www.prajwaldesai.com/deploy-pki-certificates-for-sccm-2012-r2/
Does this assist our efforts?
Alex
Thank you for the detailed steps! We'll start there and check in to let you know how it is going.
Also, we found this article: https://www.prajwaldesai.com/deploy-pki-certificates-for-sccm-2012-r2/
Does this assist our efforts?
Alex
It has a lot of good information.. Knowledge is Power.
ASKER
David,
I did find that the old Root CA cert was in the default domain policy so I successfully imported the new one into the same policy. What's next?
Alex
I did find that the old Root CA cert was in the default domain policy so I successfully imported the new one into the same policy. What's next?
Alex
wait for the servers/clients to get their new certificate (is it set to auto-enroll in the template?
ASKER
do you mean is the template used to create the Root CA set to auto-enroll?
On another note, it appears that all of the new certificates I am creating from the Sub CA (Enterprise CA) are using SHA-1. I am having trouble determining the correct steps to make it so that all new certificates created from the SubCA use SHA256 (it appears that the Root CA certificate does use SHA256). Any tips?
On another note, it appears that all of the new certificates I am creating from the Sub CA (Enterprise CA) are using SHA-1. I am having trouble determining the correct steps to make it so that all new certificates created from the SubCA use SHA256 (it appears that the Root CA certificate does use SHA256). Any tips?
create a new template that is SHA256
ASKER
well, it looks like I don't need to worry about this at the moment; I think I have client communication working, even though the client certificates are using SHA-1.
As a solution to the SHA256 question, I am strongly considering just setting up a new AD integrated CA server and decomissioning the existing offline Root CA and SubCA. A previous engineer, that is no longer here, set this up and left no documentation on how to support it; I also believe it is overkill for our environment.
Do you foresee any issues with doing this? If not, is there an accepted practice on how to do this?
Alex
As a solution to the SHA256 question, I am strongly considering just setting up a new AD integrated CA server and decomissioning the existing offline Root CA and SubCA. A previous engineer, that is no longer here, set this up and left no documentation on how to support it; I also believe it is overkill for our environment.
Do you foresee any issues with doing this? If not, is there an accepted practice on how to do this?
Alex
ASKER
Thank you for your assistance!
ASKER