Servers that are running the Configuration Manager Policy Module with the Network Device Enrollment Service role service use a client certificate to authenticate the Policy Module to the certificate registration point site system server in System Center 2012 Configuration Manager. Typically, a client authentication certificate is valid for one year. Before the certificate expires, renew it, update the registry for the new certificate, and then restart the web server that runs the Network Device Enrollment Service.
 Note |
|---|
| If the certificate has already expired, “ERROR("Failed to send http request <thumbprint>. Error 12037", appears in the NDESPlugin.log file on the server that runs the Network Device Enrollment Service. In the error message, <thumbprint> is replaced with the certificate thumbprint of the expired certificate. |
To renew the certificate:
- If you manually requested this client
certificate, manually request a new certificate. If you need help
deploying this certificate, you can use the instructions for
Deploying the Client Certificate for Distribution Points in the
Step-by-Step
Example Deployment of the PKI Certificates for Configuration
Manager: Windows Server 2008 Certification Authority topic,
with one exception: Do not select the Allow private key to be
exported check box on the Request Handling tab of the
certificate template properties.
- If you automatically deployed this client
certificate by using Group Policy enrollment, the default
configuration is to automatically request a new certificate before
the original certificate expires.
After the new certificate is deployed on the server that runs the Network Device Enrollment Service and the Configuration Manager Policy Module, use the following procedure to configure the server to use the new certificate.
To configure the Policy Module to
use the new client certificate
-
On the server that runs the Network Device Enrollment Service and the Configuration Manager Policy Module, open the registry editor and replace the old certificate thumbprint with the new certificate thumbprint by using the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\Modules\NDESPolicy\NDESCertThumbprint.
TipTo identify the thumbprint for the new certificate, locate the certificate in the Computer store by using the Certificates snap-in. Then, right-click the certificate, click Properties, click View Certificate, click the Details tab, and then scroll and select Thumbprint. You will then see and be able to copy the string of hexadecimal characters that is the certificate thumbprint for this certificate. -
Restart the services for the web server by using one of the following methods:
- From Internet Information Services (IIS) Manager: Browse to the
web server node in the tree. In the Actions pane, click
Restart.
- From the command line: Type iisreset /restart and press
Enter.
For more information, see Start or Stop the Web Server (IIS 8) in the Windows Server library on TechNet.
- From Internet Information Services (IIS) Manager: Browse to the
web server node in the tree. In the Actions pane, click
Restart.
You can confirm that the Policy Module is using the new certificate by checking for the following entry in the NDESPlugin.log file on the server that runs the Network Device Enrollment Service: INFO("NDES thumbprint is <thumbprint>.", wszBuffer);