How to Check and Verify ConfigMgr SCCM Mixed Mode Certificate Details

2

We need to have proper certificates to Authenticate and Encrypt the data flow between ConfigMgr  clients and Management Point (Even in Mixed mode). Sometimes, we need to play with certificates to resolve client authentication and registration issues. The following steps would be useful to resolve those kind of issues.

Check and Verify ConfigMgr SCCM Mixed Mode Certificate Details

Following topics are covered in this post.

  • SMS certificate Store Details (MMC)
  • Export certificates
  • Import Certificates
  • Certificates stored folder location in windows explorer or in the file system
  • Find the location and name of the private key file associated the certificates

SMS certificate Store Details (MMC)

Launch MMC (mmc.exe) and Click on File —> Add/Remove Snap-in

image

Select Certificates from Available Snap-ins and click on Add button

image

Select “Computer Account” and Click NEXT

image

Select Local Computer and click on FINISH

image

Click OK on the “Add or Remove Snap-ins” window

image

Here are the TWO certificates “SMS Signing Certificate” and “SMS Encryption Certificate” which is used for Authentication and Encryption.

image

Export certificates

You need to right click on the certificate All Tasks – Export….This will open up Certificate Export Wizard

image

Select “Yes, export the private key” and click “Next”

image

Select Export File Format” page, “Personal Information Exchange – PKCS #12(.PFX)” and click NEXT (Even, you can select INCLUDE and EXPORT check boxes mentioned in the below screen shot)

image

Type in the password on the Password window and click NEXT

image

On the “File to Export” page, enter the file name in which you wish to store the exported certificate. Do not give it an extension. Click NEXT

image

Click on FINISH

image

Import Certificates

Right Click on “Certificates (Local Computer)” –> “SMS” -> “Certificates” –> All Tasks –> Import

image

On the “Welcome to the Certificate Import Wizard” page, click “NEXT”

image

Browse through and provide the path of the certificate export file you are importing and click “NEXT”

image

Enter the password that you used in the export process, check “Mark this key as exportable. This will allow you to back up or transport your keys at a later time”, and click “NEXT”

image

“Place all certificates in the following store” should already be selected and the Certificate store value should already say “SMS”. Click “NEXT”

image

Click FINISH

image

Certificates stored folder location in windows explorer or in the file system

Windows 2008 R2 servers – “C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys”image

Windows 7 workstations – “C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys”image

Note – Both SMS certificates are stored in the 19cf* Machine Key files.

Find the location and name of the private key file associated with the certificates

FindPrivateKey.exe tool can be used to find out those details.

Syntax and examples of FindPrivateKey.exe in the following MSDN link.

Download FindPrivateKey.exe HERE

image

Ref : Forum Discussion

2 COMMENTS

  1. Thx for your thread. There is no information on the internet conterning SCCM self-signed certificates implementation.

    But the most important question is… How to check the cert is used, data is encrypted. Which log file to check?

    If you have information regarding this…

    Thx in advance.

    Luc

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.