System Center Configuration Manager (SCCM) 2012: Client PKI and Subordinate CA woes

EDIT 2013-12-30 Before you remove your Root CA from configuration, as suggested in this guide, note that it will most likely break OSD / PXE booting for SCCM, potentially along with other things. According to this technet post, the bug is happening for people who seem to use a 3rd party cert which might not be compatible with SCCM? I put a question mark there since I’m still not sure what the cause might be and Microsoft seems hesitant on fixing this bug. I am using a root CA that was created with OpenSSL and use the root CA to sign my subordinate CA which is being used in my enterprise CA (in other words, my Windows Enterprise CA is subordinate to the one I created using OpenSSL). If it helps you get running, and you’re not using things like PXE and OSD, then this guide might provide a workaround. Otherwise, the workaround is not to use PKI, which sucks.


When trying to setup SCCM on my network, I came upon some trouble getting the secure communication working between the server and the client (PKI settings and HTTPS communication). I finally ended up figuring out the issue after a few good hours of debugging and log hunting, and so hopefully this information might help someone else out.

I had set up SCCM on one of my servers, configured it to use PKI communication with the clients. I had a root CA and also a subordinate CA (the subordinate was issuing certificates to the computers). All that being set up, I decided to deploy the client using the automatic deployment method through SCCM. Looked at the client and realized that it was failing to communicate with the server correctly. Alright then, so lets go ahead and check the logs in C:\Windows\CCM\Logs :

In CcmMessaging.log:

<![LOG[Begin searching client certificates based on Certificate Issuers]LOG]!><time="18:39:06.247+420" date="10-11-2012" component="CcmMessaging" context="" type="1" thread="3868" file="ccmcert.cpp:3759">
<![LOG[Certificate Issuer 1 [E=austrianalex@gmail.com; CN=AustrianAlex CA; OU=Certificate Authority; O=AustrianAlex; L=Spokane; S=Washington; C=US]]LOG]!><time="18:39:06.247+420" date="10-11-2012" component="CcmMessaging" context="" type="1" thread="3868" file="ccmcert.cpp:3775">
<![LOG[Finding certificate by issuer chain returned error 80092004]LOG]!><time="18:39:06.247+420" date="10-11-2012" component="CcmMessaging" context="" type="2" thread="3868" file="ccmcert.cpp:3884">
<![LOG[Completed searching client certificates based on Certificate Issuers]LOG]!><time="18:39:06.247+420" date="10-11-2012" component="CcmMessaging" context="" type="1" thread="3868" file="ccmcert.cpp:3918">
<![LOG[Unable to find any Certificate based on Certificate Issuers]LOG]!><time="18:39:06.247+420" date="10-11-2012" component="CcmMessaging" context="" type="2" thread="3868" file="ccmcert.cpp:3995">
<![LOG[Raising event:

instance of CCM_ServiceHost_CertRetrieval_Status
{
DateTime = "20121012013906.253000+000";
HRESULT = "0x87d00215";
ProcessID = 684;
ThreadID = 3868;
};
]LOG]!><time="18:39:06.253+420" date="10-11-2012" component="CcmMessaging" context="" type="1" thread="3868" file="event.cpp:729">
<![LOG[Post to https://MYCCMSERVER/ccm_system/request failed with 0x87d00231.]LOG]!><time="18:39:06.255+420" date="10-11-2012" component="CcmMessaging" context="" type="2" thread="3868" file="messagequeueproc_outgoing.cpp:430">

Finding certificate by issuer chain returned error 80092004. I had specified my root CA in the SCCM console, and I thought that was enough. But certificate chain? My subordinate CA is issuing these certs, but if it trusts the root, it should also trust the subordinate, right? I decided to go and add the subordinate CA certificate into the site settings as well.

Client Settings for SCCM

So now I had the Root CA and subordinate CA specified in the settings. Pushed out the client again. This time I got a different error.

In CcmMessaging.log:

<![LOG[Begin searching client certificates based on Certificate Issuers]LOG]!><time="19:09:24.100+420" date="10-11-2012" component="CcmMessaging" context="" type="1" thread="5832" file="ccmcert.cpp:3759">
<![LOG[Certificate Issuer 1 [E=austrianalex@gmail.com; CN=AustrianAlex CA; OU=Certificate Authority; O=AustrianAlex; L=Spokane; S=Washington; C=US]]LOG]!><time="19:09:24.100+420" date="10-11-2012" component="CcmMessaging" context="" type="1" thread="5832" file="ccmcert.cpp:3775">
<![LOG[Certificate Issuer 2 [CN=AustrianAlex Windows CA]]LOG]!><time="19:09:24.100+420" date="10-11-2012" component="CcmMessaging" context="" type="1" thread="5832" file="ccmcert.cpp:3775">
<![LOG[Skipping Certificate [Thumbprint 9F5CAC8D5572421BA2EEAB2BDC2AAFB8A41365FC] issued to 'TheClient' as root is 'AustrianAlex CA']LOG]!><time="19:09:24.101+420" date="10-11-2012" component="CcmMessaging" context="" type="1" thread="5832" file="ccmcert.cpp:3877">
<![LOG[Completed searching client certificates based on Certificate Issuers]LOG]!><time="19:09:24.101+420" date="10-11-2012" component="CcmMessaging" context="" type="1" thread="5832" file="ccmcert.cpp:3918">
<![LOG[Unable to find any Certificate based on Certificate Issuers]LOG]!><time="19:09:24.101+420" date="10-11-2012" component="CcmMessaging" context="" type="2" thread="5832" file="ccmcert.cpp:3995">
<![LOG[Raising event:

instance of CCM_ServiceHost_CertRetrieval_Status
{
DateTime = "20121012020924.107000+000";
HRESULT = "0x87d00215";
ProcessID = 1224;
ThreadID = 5832;
};
]LOG]!><time="19:09:24.107+420" date="10-11-2012" component="CcmMessaging" context="" type="1" thread="5832" file="event.cpp:729">
<![LOG[Post to https://MYCCMSERVER/ccm_system/request failed with 0x87d00231.]LOG]!><time="19:09:24.109+420" date="10-11-2012" component="CcmMessaging" context="" type="2" thread="5832" file="messagequeueproc_outgoing.cpp:430">

Skipping Certificate [Thumbprint 9F5CAC8D5572421BA2EEAB2BDC2AAFB8A41365FC] issued to ‘TheClient’ as root is ‘AustrianAlex CA’. Apparently, the chain issue went away and now it is ignoring the certificate entirely. Double checked and made sure that the root CA matched the issued certificate and it did. This is when I realized that since the CA certificates were already installed as Trusted Root Certificates (through Group Policy in my case) on the client machine, there might be a conflict with those I was specifying in the SCCM site settings. They were both the same Root CA, however, the SCCM client’s logic decided to…skip any certificates that matched the CA…even though they were the same? I still don’t get the behavior, but whatever, the solution turned out to be to remove the specified CA’s from the SCCM site settings:
SCCM Site Settings Client Connection

Also, I had to make sure to uninstall the client from the computer before doing an automatic push install to purge the settings (otherwise, doing another automatic push install will continue to use the specified certificates, getting the same message as above). I did this by executing the following on the client computer:

cd c:\Windows\ccmsetup
ccmsetup.exe /uninstall

ccmsetup.exe /uninstall

After that, a quick push install and the client started communicating using PKI.
Client install SCCM 2012

TL;DR:

If you have the root CA already installed on a client computer, do not specify a root CA in the SCCM console site settings, or you’re going to have a bad time.

3 Responses to “System Center Configuration Manager (SCCM) 2012: Client PKI and Subordinate CA woes”

  1. hello and greetings from tirol, this information has solved the same issue for me. many thanks, i was already going crazy :)

  2. Thanks for the information but I have found that in a PKI only environment removing the root CA from site properties prevents OSD from working correctly.

  3. Dacian Reece-Stremtan

    Thanks for your post. It helped me to enable HTTPS communication.

    Dacian

Leave a Reply