question

DucheminDominique-7551 avatar image
0 Votes"
DucheminDominique-7551 asked Amandayou-MSFT commented

Client Authentication not renewed

Hello,

How do you trace/report on certificate "Client Authentication" for the SCCM Agent expired?
130820-2021-09-09-15-50-42-memcm-client-certificate-date.png

How does the certificate change from PKI to Self-Signed? when expired?
130911-2021-09-09-16-08-24-client-cetificate-pki-or-self.png

So far the certificate self-signed are expired...
I do a New Certificate request and restart the SMS Agent Host service and the PKI pops-up

I then delete the old certificate

Any recommendations.

Thanks,
Dom


mem-cm-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Amandayou-MSFT avatar image
1 Vote"
Amandayou-MSFT answered

Hi @DucheminDominique-7551

We may navigate to CA to check for the SCCM Agent expired, instead of SCCM report.

Here is the screenshot we could refer to:

131127-9101.png



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



9101.png (165.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DucheminDominique-7551 avatar image
0 Votes"
DucheminDominique-7551 answered Amandayou-MSFT commented

Hello,

Could we get a report from AD?

Thanks,
Dom

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

We may not get the built-in report from AD, If possible, it requires the custom report to get the report we want from AD.

Here is the article about creating custom report, please refer to it:
https://systemcenterdudes.com/sccm-report-creation-report-builder/
Note: Non-Microsoft link, just for the reference.

Best regards,
Amanda

1 Vote 1 ·

Hello,

The report https://blog.thomasmarcussen.com/using-sccm-ci-baseline-to-check-for-expiring-user-certificates/ is pointing to Users certificate and it is noted in bold "Again, the key thing here is to be sure that you deploy this CB to users and not to your systems!".

So should I change the deployment from Users to Computers as well as the path from "get-childitem -path cert:\currentuser..." in the script to "get-childitem -path cert:\LocalMachine"?

Set-Location Cert:\LocalMachine\My
Get-ChildItem -path cert:\LocalMachine\My

-ExpiringInDays failed for now checking why?
PS C:\Windows\system32> Get-ChildItem -ExpiringInDays 30 -recurse
Get-ChildItem : A parameter cannot be found that matches parameter name 'ExpiringInDays'.
At line:1 char:16
+ Get-ChildItem -ExpiringInDays 30 -recurse
+ ~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ChildItem], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

I will try
get-childitem -path Cert:\LocalMachine\My -recurse | where { $_.notafter -le (get-date).AddDays(624)}

Thanks,
Dom

0 Votes 0 ·
Amandayou-MSFT avatar image Amandayou-MSFT DucheminDominique-7551 ·

Hi,

Thanks for your update.

We could try this method, this article is not from Microsoft, so it is recommended that we use the custom script to achieve this target.

Thanks for your understanding.

Best regards,
Amanda

1 Vote 1 ·