Avatar of Alexander Insley
Alexander Insley
 asked on

SCCM clients unable to connect since new RootCA created

We recently dealt with an expiring certificate for a SubCA and the original offline RootCA was no longer available. We managed to create a new offline RootCA and use it to get the SubCA a new SubCA certificate. Since doing this, however, our SCCM hasn't been working properly. When looking at the list of Devices, all of them are shown as grey with an X; client activity shows as inactive and the last update was 7-10 days ago. Any help would be appreciated!
* certificate servicesSCCM

Avatar of undefined
Last Comment
Alexander Insley

8/22/2022 - Mon
Alexander Insley

ASKER
I have also discovered that 2 certificates (under SCCM -> Administration -> Security -> Certificates) are expired and they are types Distribution Point and Boot Media. Could this be causing the issue?
David Johnson, CD

yes, since you built a new root ca all of the issued certificates are invalid you have to reissue all certificates. Did you also update your group policy to reflect the new root ca key?
Alexander Insley

ASKER
1) how do I reissue all certificates?
2) the GPO was not updated; which GPO do I modify?
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER CERTIFIED SOLUTION
David Johnson, CD

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Alexander Insley

ASKER
David,

Thank you for the detailed steps! We'll start there and check in to let you know how it is going.

Also, we found this article: https://www.prajwaldesai.com/deploy-pki-certificates-for-sccm-2012-r2/

Does this assist our efforts?

          Alex
David Johnson, CD

It has a lot of good information.. Knowledge is Power.
Alexander Insley

ASKER
David,

I did find that the old Root CA cert was in the default domain policy so I successfully imported the new one into the same policy. What's next?

           Alex
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
David Johnson, CD

wait for the servers/clients to get their new certificate (is it set to auto-enroll in the template?
Alexander Insley

ASKER
do you mean is the template used to create the Root CA set to auto-enroll?

On another note, it appears that all of the new certificates I am creating from the Sub CA (Enterprise CA) are using SHA-1. I am having trouble determining the correct steps to make it so that all new certificates created from the SubCA use SHA256 (it appears that the Root CA certificate does use SHA256). Any tips?
David Johnson, CD

create a new template that is SHA256

This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Alexander Insley

ASKER
well, it looks like I don't need to worry about this at the moment; I think I have client communication working, even though the client certificates are using SHA-1.

As a solution to the SHA256 question, I am strongly considering just setting up a new AD integrated CA server and decomissioning the existing offline Root CA and SubCA. A previous engineer, that is no longer here, set this up and left no documentation on how to support it; I also believe it is overkill for our environment.

Do you foresee any issues with doing this? If not, is there an accepted practice on how to do this?

                   Alex
Alexander Insley

ASKER
Thank you for your assistance!