How to Configure the Policy Module to Use a New Client Certificate in Configuration Manager
Updated: May 14, 2015
Applies To: System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1
Servers that are running the Configuration Manager Policy Module with the Network Device Enrollment Service role service use a client certificate to authenticate the Policy Module to the certificate registration point site system server in System Center 2012 Configuration Manager. Typically, a client authentication certificate is valid for one year. Before the certificate expires, renew it, update the registry for the new certificate, and then restart the web server that runs the Network Device Enrollment Service.
If the certificate has already expired, “ERROR("Failed to send http request <thumbprint>. Error 12037", appears in the NDESPlugin.log file on the server that runs the Network Device Enrollment Service. In the error message, <thumbprint> is replaced with the certificate thumbprint of the expired certificate.
To renew the certificate:
If you manually requested this client certificate, manually request a new certificate. If you need help deploying this certificate, you can use the instructions for Deploying the Client Certificate for Distribution Points in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic, with one exception: Do not select the Allow private key to be exported check box on the Request Handling tab of the certificate template properties.
If you automatically deployed this client certificate by using Group Policy enrollment, the default configuration is to automatically request a new certificate before the original certificate expires.
After the new certificate is deployed on the server that runs the Network Device Enrollment Service and the Configuration Manager Policy Module, use the following procedure to configure the server to use the new certificate.
To configure the Policy Module to use the new client certificate
On the server that runs the Network Device Enrollment Service and the Configuration Manager Policy Module, open the registry editor and replace the old certificate thumbprint with the new certificate thumbprint by using the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\Modules\NDESPolicy\NDESCertThumbprint.
To identify the thumbprint for the new certificate, locate the certificate in the Computer store by using the Certificates snap-in. Then, right-click the certificate, click Properties, click View Certificate, click the Details tab, and then scroll and select Thumbprint. You will then see and be able to copy the string of hexadecimal characters that is the certificate thumbprint for this certificate.
Restart the services for the web server by using one of the following methods:
From Internet Information Services (IIS) Manager: Browse to the web server node in the tree. In the Actions pane, click Restart.
From the command line: Type iisreset /restart and press Enter.
For more information, see Start or Stop the Web Server (IIS 8) in the Windows Server library on TechNet.
You can confirm that the Policy Module is using the new certificate by checking for the following entry in the NDESPlugin.log file on the server that runs the Network Device Enrollment Service: INFO("NDES thumbprint is <thumbprint>.", wszBuffer);