Renew an Expired SCCM CMG Server Certificate

Benoit LecoursSCCMLeave a Comment

5
(2)

The SCCM Cloud Management Gateway was one of the most installed system roles in the past months due to the COVID pandemic. Many organizations wanted to continue managing SCCM clients over the internet during this massive work from the home period. We’ve set up a lot of CMG and now we are getting more and more demand to replace an expired Server Certificate. In this post we’ll show you how to monitor an expired certificate and mostly shows you how to replace your server certificate with a valid one on your SCCM CMG Server.

How to detect an Expired SCCM CMG Server Certificate

The server certificate should be provided from a public provider (DigiCert, GoDaddy…), or from an internal public key infrastructure (PKI).

In an ideal world, you should replace the certificate before it expires. If the certificate is forgotten and not replaced before it expires, SCCM will keep working but the clients that are internet managed through the CMG will loose their connection.

On an internet client, you can see that the connection is broken by looking at the CcmMessaging.log file located in C:\Windows\CCM\Logs directory.

You see an error : WINHTTP_CALLBACK_STATUS_FLAG_CERT_DATE_INVALID. This should ring a bell CERT_DATE_INVALID.

SCCM CMG Renew Certificate

Following Microsoft documentation :

WINHTTP_CALLBACK_STATUS_FLAG_CERT_DATE_INVALIDSSL certificate date that was received from the server is bad. The certificate is expired.

On the server side, you’ll see error in the CloudMgr.log located in your SCCM Installation Directory \ Logs

ERROR : Management Certificate for service YOURCMGNAME is in expired state. Expiry date-time XXXX

ERROR : Service Certificate is Expired for service YOURCMGNAME

Good, we know that our CMG Server Certificate is expired. So how do we renew the CMG server certificate in the SCCM Console ? Keep reading.

SCCM CMG Renew Certificate

It’s quite easy to renew the certificate in the SCCM console but we’ve seen some cases where extra steps were required in the Azure portal. Let see the simple and easy way :

  • Ensure that you have your new and valid server certificate (pfx file ) on the SCCM Server
  • In the SCCM Console
  • Go to Administration / Cloud Services / Cloud Management Gateway
  • Right-click your CMG and go to Properties
SCCM CMG Renew Certificate
  • Go to the Setting tab and click Browse
  • Select your new and valid .pfx file and click Apply
SCCM CMG Renew Certificate
  • Right-click your SCCM CMG again and select Synchronize Configuration
SCCM CMG Renew Certificate
  • Open the CloudMgr.log and validate that there’s no error.
  • In the SCCM Console, if everything goes well, you’ll see that your CMG is Ready and Configuration Update Completed
SCCM CMG Renew Certificate
  • On your affected client, you’ll need to update the client policy while on the internal network before it can communicate back without error. This is because the client needs to receive at least once the new certificate before going out on the external (internet) network and be trusted by the Cloud Management Gateway.

At this point, if you are lucky enough and everything is fine, the next section is not for you. You can stop reading here.

What if it goes wrong

We’ve seen some cases where doing the above was not enough to renew the SCCM CMG server certificate. After applying the above, the CMG was still in an Error state.

In the CloudMgr.log file, we saw the following error.

ERROR: TaskManager: Task [UpdateServiceConfigurationTask: Service YOURCMG] has failed. Exception Hyak.Common.CloudException, ChangeDeploymentConfigurationOperationFailed: The Change Deployment Configuration operation failed for the domain ‘YOURCMG’ in the deployment slot ‘Production’ with the name ‘YOURCMG-deployment’: ‘The certificate with thumbprint 2e6acfdxxxxxx22a49xxxxxxxfdd0804 was not found.’..

SCCM CMG Renew Certificate

The certificate with thumbprint was not found… interesting.

So I decided to launch the Azure portal to see the certificate there :

  • Select your Deployment name on the left (1)
  • Select the Certificate node
  • In our screenshot, you can see the Expired cert and the one we try to import is not there
  • Let’s try and import our server certificate manually
  • Still in Certificate (1), at the top, click Upload (2) and enter the secret key on the right (3)
  • Wait for success confirmation
  • Right-click your SCCM CMG again and select Synchronize Configuration
SCCM CMG Renew Certificate
  • Open the CloudMgr.log and validate that there’s no error.
  • In the SCCM Console, you’ll see that your CMG is Ready and Configuration Update Completed
SCCM CMG Renew Certificate
  • On your affected client, you’ll need to update the client policy while on the internal network before it can communicate back without error. This is because the client needs to receive at least once the new certificate before going out on the external (internet) network and be trusted by the Cloud Management Gateway.

We hope this post was useful, please leave your comment or question below.

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 2

No votes so far! Be the first to rate this post.

Leave a Reply