Link to home
Create AccountLog in
Avatar of Alexander Insley
Alexander Insley

asked on

SCCM clients unable to connect since new RootCA created

We recently dealt with an expiring certificate for a SubCA and the original offline RootCA was no longer available. We managed to create a new offline RootCA and use it to get the SubCA a new SubCA certificate. Since doing this, however, our SCCM hasn't been working properly. When looking at the list of Devices, all of them are shown as grey with an X; client activity shows as inactive and the last update was 7-10 days ago. Any help would be appreciated!
Avatar of Alexander Insley
Alexander Insley

ASKER

I have also discovered that 2 certificates (under SCCM -> Administration -> Security -> Certificates) are expired and they are types Distribution Point and Boot Media. Could this be causing the issue?
Avatar of David Johnson, CD
yes, since you built a new root ca all of the issued certificates are invalid you have to reissue all certificates. Did you also update your group policy to reflect the new root ca key?
1) how do I reissue all certificates?
2) the GPO was not updated; which GPO do I modify?
ASKER CERTIFIED SOLUTION
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
David,

Thank you for the detailed steps! We'll start there and check in to let you know how it is going.

Also, we found this article: https://www.prajwaldesai.com/deploy-pki-certificates-for-sccm-2012-r2/

Does this assist our efforts?

          Alex
It has a lot of good information.. Knowledge is Power.
David,

I did find that the old Root CA cert was in the default domain policy so I successfully imported the new one into the same policy. What's next?

           Alex
wait for the servers/clients to get their new certificate (is it set to auto-enroll in the template?
do you mean is the template used to create the Root CA set to auto-enroll?

On another note, it appears that all of the new certificates I am creating from the Sub CA (Enterprise CA) are using SHA-1. I am having trouble determining the correct steps to make it so that all new certificates created from the SubCA use SHA256 (it appears that the Root CA certificate does use SHA256). Any tips?

create a new template that is SHA256

well, it looks like I don't need to worry about this at the moment; I think I have client communication working, even though the client certificates are using SHA-1.

As a solution to the SHA256 question, I am strongly considering just setting up a new AD integrated CA server and decomissioning the existing offline Root CA and SubCA. A previous engineer, that is no longer here, set this up and left no documentation on how to support it; I also believe it is overkill for our environment.

Do you foresee any issues with doing this? If not, is there an accepted practice on how to do this?

                   Alex
Thank you for your assistance!