question

BlankIT avatar image
0 Votes"
BlankIT asked BlankIT commented

SCCM Client Push selecting wrong certificate

Hello. I had one primary site server running 1903 set up using site code "S01". I have just migrated the data from the 1903 site on 2012 R2 to a 2103 site "S02" on a 2019 server. Also, I have upgraded the certificate server from SHA1 to SHA2 recently. After migrating and setting complete we have done a client push to three domains, two of them which are in the same forest have done the client push successfully but the remaining domain which is in a different forest with forest trust is still using the SHA1 certificate to do the client push and thus unable to install the client on the member machines in that domain. After deleting the SHA1 certificate on the targeted machine, the client push was successful but it failed again after adding the SHA1 certificate back. We are not able to delete the SHA1 certificate just yet so I'd like to ask how can I force the SCCM client to use the SHA2 certificate for client push and make the client push work? Thanks.

mem-cm-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

HanyunZhu-MSFT avatar image
1 Vote"
HanyunZhu-MSFT answered BlankIT commented

@BlankIT

Thanks for posting in Microsoft Q&A forum.

The certificate selection will follow the criteria specified on the site settings.

We may be able to configure the "Client certificate selection criteria when more than one certificate is available" in the site setting to manage the certificate selection.

We can go through this path: CM console > Administration > Site Configuration > Sites > right-click the site and choose Properties > select Communication Security tab.
And then, modifiy the Client certificate selection Settings.
For example, as shown in the image below, we are able to set the subject of the selected certificate must contain a string unique to SHA2.
97676-cert.png

Hope the above information is helpful to you.


If the response is helpful, please click "Accept Answer"and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



cert.png (186.5 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@BlankIT , Hope things are going well. I am writing to see if there's any update on our issue. If yes, feel free to let us know.

0 Votes 0 ·

I tried to modify the Client certificate selection Settings, but it still uses SHA1 certificates.

0 Votes 0 ·