question

DillonMatt-1385 avatar image
0 Votes"
DillonMatt-1385 asked saldana-msft edited

SCCM Cert Confusion

I set up PKI Certs on my SCCM environment earlier this year. Short of some errors in the CCMMessaging.log that I was told are nothing to worry about, things went fine. I was able to follow the online guides and everything looked the way it was supposed to look. My Configuration Manager Properties show Client certificate as "PKI". Everything points to me using PKI. I have not checked in a while, but I noticed today that in the SCCM console, the Client Certificate column shows "Self-signed." Herein lies the confusion. Why was something that used to show PKI now showing "Self-signed" when I am showing PKI on my client properties?

Things to consider:
1. I added a CMG yesterday and troubleshooting issues with that at the moment.
2. My site was updated to 2107 about 2 weeks ago.
3. I added Proxy settings this morning.

Can anyone offer any insight on why the discrepancy and/or how to remediate?


mem-cm-generalmem-cm-site-deployment
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Amandayou-MSFT avatar image
0 Votes"
Amandayou-MSFT answered MattD-7613 commented

Hi @DillonMatt-1385

Why was something that used to show PKI now showing "Self-signed" when I am showing PKI on my client properties?

According to our description, we could check ClientLocation.log to see records tasks that are related to client site assignment, which records the reason for using the PKI.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I uploaded my log file for your review....

131558-clientlocation.log


0 Votes 0 ·
clientlocation.log (186.1 KiB)
Jason-MSFT avatar image
1 Vote"
Jason-MSFT answered MattD-7613 commented

This is normal and (unfortunately) expected as of 2107. We made a change to harden certificate handling on the clients in 2107 and this unfortunately had this side-effect. We are looking to address this is a future release. For now, you can spot check clients manually or use Support Center which (from memory) will also tell which kind of cert the client is using.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for the confirmation Jason!!

I thought I was losing my mind.

Is this the same reason I wonder that I am seeing the following entries in the CCMMessaging.log:

Access check failed against user 'username'
IsSslClientAuthEnabled - Determining provisioning mode state failed with 80070005. Defaulting to state of 1472.
Access check failed against user 'username'

0 Votes 0 ·
Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered ohelge commented

That error message is unrelated to the best of knowledge. That's looks to be the result of the user not having an AAD identity but without more context , I don't know that for sure.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

That makes sense. Thanks again for the help!

0 Votes 0 ·

Hi Jason.

Any news on this? I am running version 2111 and we are switching to PKI.
Everything seems to work fine but in the console it still says Selfsigned.

Best Regards
Olof

0 Votes 0 ·

This is still the current behavior. As you've observed, there is no actual functionality impact with this.

If this is impacting you significantly, please file feedback in the console and include why and how not having this is impacting your buisiness.

0 Votes 0 ·

Thank you for the update. I will do that.

Regards
Olof

0 Votes 0 ·