SCCM I AM

Ad you

Sunday, February 15, 2015

Document Signing Certificate in SCCM PKI Infrastructure

In SCCM 2007/2012 Native Mode(uses PKI infrastructure), Document Signing Certificate plays major role and must have certificate in SCCM 2007/2012 Native mode.

The Site server signing certificate signs the policies that clients download from their management point so that clients know the policies originate from their assigned site.This certificate is not required on secondary site servers.Clients must have a copy of this certificate before they can accept policies signed with it. 

Screenshot of Document Signing Certificate(highlighted) at Server Side:




Screenshot of Document Signing Certificate configuration at Server side:














Screenshot of Document Signing Certificate public key(highlighted) at client side:
Public key of Document Signing Certificate can be located at registry of client. It is located at HKLM\SOFTWARE\MICROSOFT\CCM\SECURITY



We can deploy Document Signing Certificate in clients in three different ways:

1) Automatically from Active Directory
2) Manually during client installation and 
3) From Management point

If there is any problem in configuration and deployment of DocSign Certificate, you may get below error in server side. You need to check the component SMS_POLICY_PROVIDER which states that component has failed to sign policy due to problem in Document Signing certificate.


At client side, you may get below error lines if you check 'LocationService.log'(%windir%\system32\ccm\logs)

'Rejected the new site signing certificate'
'Failed to update Site Signing Certificate over AD with error 0x800b0109'
'Failed to update signing certificate over http with error code 0x800b0109'

If you get similar issues like mentioned above, you need to check the Document Signing Certificate at server side and need to make sure that client gets copy of certificate either from AD(first try from client) or from Management Point(Second Try). Until you rectify the issue, you cant see all require tabs at SCCM client applet in Control Panel of client computer.

If everything is OK, you can see below message at Server side and also can see all tabs reflected at client side.



For details of Document Signing certificate configuration and deployment, please refer below Technet articles available at Microsoft site.

For SCCM 2007 PKI infra in Windows Server 2008 : https://technet.microsoft.com/en-in/library/cc872789.aspx
For SCCM 2012 PKI infra in Windows Server 2008/2012: https://technet.microsoft.com/en-us/library/gg682023.aspx

Note: All above screenshots are taken from LAB setup created at my home. 

0 comments:

Post a Comment