After rebuilding my workstation recently, I couldn't get it to register with the SCCM server properly. Eventually I found warnings in the SMS_MP_Control_Manager component which pointed me to the issue. The warnings read:
*MP has rejected registration request due to failure in client certificate (Subject Name: COMPUTER.DOMAIN.COM <http://COMPUTER.DOMAIN.COM>) chain validation. If this is a valid client, Configuration Manager Administrator needs to place the Root Certification Authority and Intermediate Certificate Authorities in the MPÆs Certificate store or configure Trusted Root Certification Authorities in primary site settings. The operating system reported error 2148204809: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. * A couple of months ago, I renewed our root CA's certificate, as the old one expires in under 2 years. After renewing the cert, I never updated the root CA cert in the SCCM site settings. Thus, any computers that were re-imaged or otherwise issued new certs since the update, have been getting rejected by SCCM. I updated the trusted root CA in SCCM site settings yesterday, and today my workstation has registered successfully with the server, along with many others that had been affected by the same issue. However, I'm still seeing some instances of the same error in the logs, for other computers. Looking at a couple of examples, it looks like computers which have certs signed by the OLD CA certificate are now getting registration requests rejected. As far as I can tell, I can't have both the new and old root CA certs trusted by SCCM. The dialog for choosing a cert looks like it can accept multiple root CA certificates, but when I added the new one it replaced the old cert, rather than leaving both of them trusted. What am I doing wrong here? How can I get SCCM to talk to computers regardless of whether the certs are signed by the old or new CA cert?
