myITforum and Windows IT Pro Forums

 Certificate Expired

Author Message
jmiller120

  • Total Posts : 14
  • Scores: 0
  • Reward points : 0
  • Joined: 4/15/2008
  • Status: offline
Certificate Expired Monday, December 08, 2008 8:25 PM (permalink)
0
I am running SCCM in native mode, and my certificate expired.  Has anyone run into this?  The error message is:
The site server signing certificate has expired 10 day(s) ago. Please replace/renew the certificate. The Policies at this Site will be re-signed by the Site Server using the new signing certificate.
 
What is the best way to handle this?
 
#1
    mhudson

    • Total Posts : 794
    • Scores: 33
    • Reward points : 27620
    • Joined: 4/1/2007
    • Location: College Station, TX
    • Status: offline
    RE: Certificate Expired Monday, December 08, 2008 8:45 PM (permalink)
    0
    Yup, 2 weeks ago.  Just replace the cert with a new one and then go into Site Mode and change it there.  The clients will pick it back up.  You will see Policy errors in the Policy log on the clients until there.  It takes the clients about 2 policy cycles to correct.
     
    #2
      jmiller120

      • Total Posts : 14
      • Scores: 0
      • Reward points : 0
      • Joined: 4/15/2008
      • Status: offline
      RE: Certificate Expired Monday, December 08, 2008 9:14 PM (permalink)
      0
      I'm using a INF file to generate my csr request - is there a way to define the valid time for it?  i'm a bit rusty.  This may be out of the scope of this forum though...
      Here is the INF file that i use for my CSR:
       
      [NewRequest]
      Subject = "CN=The site code of this site server is 001"
      EncipherOnly = FALSE
      Exportable = TRUE   ; FALSE = Private key is not exportable
      KeyLength = 1024    ; Common key sizes: 512, 1024, 2048,
            ;    4096, 8192, 16384
      KeySpec = 1         ; Key Exchange
      KeyUsage = 0xA0     ; Digital Signature, Key Encipherment
      MachineKeySet = True
      ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
      ProviderType = 12
      RequestType = CMC   ; Omit entire section if CA is Enterprise
      [EnhancedKeyUsageExtension]
      OID=1.3.6.1.4.1.311.10.3.12 ; Document Signing
      [RequestAttributes]
      CertificateTemplate = SCCM_Authority
       
      #3
        mhudson

        • Total Posts : 794
        • Scores: 33
        • Reward points : 27620
        • Joined: 4/1/2007
        • Location: College Station, TX
        • Status: offline
        RE: Certificate Expired Monday, December 08, 2008 9:29 PM (permalink)
        0
        The time needs to be defined in the template not the inf file.
         
        #4
          jmiller120

          • Total Posts : 14
          • Scores: 0
          • Reward points : 0
          • Joined: 4/15/2008
          • Status: offline
          RE: Certificate Expired Wednesday, December 10, 2008 7:29 PM (permalink)
          0
          I am getting the following errrors since i reissued a new certificate and changed it out:
          MP Control Manager detected DMP is not responding to HTTP requests.  The http error is 12152.
           
          MP Control Manager detected management point is not responding to HTTP requests.  The HTTP status code and text is 500, Internal Server Error.
           
          In the ccmexec.log file on a client i'm testing, the log has the following errors:
          The 'Certificate Store' is empty in the registry, using default store name 'MY'. CcmExec 12/10/2008 6:27:47 PM 2960 (0x0B90)
          Raising event:
          instance of CCM_ServiceHost_CertRetrieval_Status
          {
           ClientID = "GUID:1EE9D7AC-D52D-43C9-A6D0-EC1217AF7B05";
           DateTime = "20081211002747.447000+000";
           HRESULT = "0x00000000";
           ProcessID = 3392;
           ThreadID = 2960;
          };
           CcmExec 12/10/2008 6:27:47 PM 2960 (0x0B90)
          Failed in WinHttpReceiveResponse API, ErrorCode = 0x2f78 CcmExec 12/10/2008 6:27:47 PM 2960 (0x0B90)
          [CCMHTTP] HTTP ERROR: URL=http://Kennedy.rowancompanies.com/ccm_system/request, Port=443, Protocol=https, SSLOptions=63, Code=12152, Text=ERROR_WINHTTP_INVALID_SERVER_RESPONSE CcmExec 12/10/2008 6:27:47 PM 2960 (0x0B90)
          Raising event:
          instance of CCM_CcmHttp_Status
          {
           ClientID = "GUID:1EE9D7AC-D52D-43C9-A6D0-EC1217AF7B05";
           DateTime = "20081211002747.494000+000";
           HostName = "Kennedy.rowancompanies.com";
           HRESULT = "0x80072f78";
           ProcessID = 3392;
           StatusCode = 0;
           ThreadID = 2960;
          };
           CcmExec 12/10/2008 6:27:47 PM 2960 (0x0B90)
           
          #5
            jmiller120

            • Total Posts : 14
            • Scores: 0
            • Reward points : 0
            • Joined: 4/15/2008
            • Status: offline
            RE: Certificate Expired Wednesday, December 10, 2008 9:31 PM (permalink)
            0
            I just noticed that the sms agent host service on the SCCM server (all roles are on one server) was set to disabled.  As soon as i kicked it on, it looks like everything started running smoothely again.  After it was enabled, it updated the URL to connect via https, and updated the certificates on the clients. 
             
            #6
              mhudson

              • Total Posts : 794
              • Scores: 33
              • Reward points : 27620
              • Joined: 4/1/2007
              • Location: College Station, TX
              • Status: offline
              RE: Certificate Expired Thursday, December 11, 2008 8:43 AM (permalink)
              0
              I am glad to see you have it working.  I was not so sure what would happen when we went through the process but we did come out unharmed :)
               
              #7
                Online Bookmarks Sharing: Share/Bookmark

                Jump to:

                Current active users

                There are 0 members and 2 guests.

                Icon Legend and Permission

                • New Messages
                • No New Messages
                • Hot Topic w/ New Messages
                • Hot Topic w/o New Messages
                • Locked w/ New Messages
                • Locked w/o New Messages
                • Read Message
                • Post New Thread
                • Reply to message
                • Post New Poll
                • Submit Vote
                • Post reward post
                • Delete my own posts
                • Delete my own threads
                • Rate post

                2000-2014 ASPPlayground.NET Forum Version 3.9