Its Matt Posted August 20, 2015 Report post Posted August 20, 2015 Hi all, I have not actively been to these forums in several years now as my responsibilities have broadened, but I come to you hat in hand seeking help! I have a single server deployment of SCCM 2012 R2 on Windows 2012 R2. I have an enterprise PKI, and the certificates have been properly configured on the SCCM server and distributed to clients. All was well, until I had to renew the root certificate with a new key pair. The intermediate cross certification certs were created properly and were added to the domain trust GPO. I began noticing that new clients could not register with the management point. I eventually realized that I had the old root certificate set as the trusted root CA. When I added the new root certificate here, I learned that it replaced the old one, did not add to it. This now caused the computers with certs issued by the old root certificate to be rejected. After reading some, I learned that if I have the trusted root certificate authority set to "Not Set", Config Manager would revert to the Windows trust store. I have been running this way for a couple of weeks and I thought all was well. I was able to manage clients with both new and old certs. This week I find out that PXE OSD is not working. When the trusted CA is not set, the SMSPXE.log shows "_SMSTSRootCACerts Not Set. This might cause client failures in native mode." The PXE client fails to get a policy, and this snippet appears in the smsts.log: WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set I have updated the PXE certificate on the distribution point, but to no avail. I can remedy this temporarily by setting the new root certificate as the trusted one in ConfigMgr, but this breaks communication with the clients on the old key pair. Is there a way to have PXE work, while still managing both old and new certificate clients? This community had been a great resource to me in the past. I'm hopeful that one of the brilliant minds here can help me again. Thanks! Quote Share this post Link to post Share on other sites More sharing options...
zlewis1089 Posted August 8, 2016 Report post Posted August 8, 2016 Did you ever get anywhere with this? I'm in the exact same spot of trouble Quote Share this post Link to post Share on other sites More sharing options...
