The site server signing certificate in a native mode Configuration Manager 2007 site signs the policies that are downloaded to Configuration Manager clients so that clients know their policies come from a trusted source. Configuration Manager clients need a copy of the site server signing certificate, and they retrieve this from Active Directory or their management point. Alternatively, you can provision the client with the site server signing certificate on installation by using a CCMSetup command-line option. For more information about deploying the site server signing certificate to clients, see Decide How to Deploy the Site Server Signing Certificate to Clients (Native Mode).
Configuration Manager checks the validity of the site server signing certificate before using it, and if it detects that expiry is within 10 days, it raises the status message ID of 5112 with the component of SMS_POLICY-PROVIDER. This status message will be repeated once a day with a count of how many days remain until expiry.
If you renew or need to change the site server signing certificate that is deployed to the Configuration Manager site server, you must configure Configuration Manager to use this new certificate. Selecting a new site server signing certificate has some consequences with regard to the following situations:
- Renewing the Site
Server Signing Certificate or Issuing a New Certificate from the
Same Root Certification Authority
- Issuing a New
Site Server Signing Certificate from a Different Root Certification
Authority
Renewing the Site Server Signing Certificate or Issuing a New Certificate from the Same Root Certification Authority
If you configure the Configuration Manager site to use a new site server signing certificate that has a new key pair (a recommended best practice), all client policies are re-signed by the site server. When clients download their policies that have been signed by the new site server signing certificate, they will not immediately validate the signature because their copy of the site server signing certificate does not match the certificate that was used to sign the policies. If the new site server signing certificate chains to the same trusted root certificate as the previous site server signing certificate, Configuration Manager clients will automatically download a copy of the new site server signing certificate from either Active Directory Domain Services or the management point. They then validate their policy signed by the new site server signing certificate.
 Note |
|---|
| Renew the site server signing certificate during a quiet period when it is acceptable that there will be an interruption to Configuration Manager site operation, together with an increase in network activity and processing on the management point or domain controllers. Re-signing a high number of policies by the site server and then the retrieval of the new certificate by clients can require a sustained period of time to complete. |
Issuing a New Site Server Signing Certificate from a Different Root Certification Authority or After Renewing the Root Certificate
If you configure the Configuration Manager site to use a new site server signing certificate that chains to a different root certificate (either by using a different certification authority or by using the same certification authority but with a new root certificate that has a new key pair), clients will not accept the new site server signing certificate when they receive policies signed with the new certificate. This behavior provides security prevention against clients accepting a new site server signing certificate from a compromised management point. In this scenario, clients will not attempt to download the new site server signing certificate and will reject the policy they have downloaded, sending an error to the management point to alert the administrator to the fact that policy authorization failed. In this scenario, clients are unmanaged and the administrator must take remedial action.
If you have changed the root certificate and need to install a new site server signing certificate, you must first delete the copy of the current site server signing certificate on Configuration Manager clients that is stored in the registry, by running a script on clients (for example, by running a task sequence in Configuration Manager or by using Group Policy). The client copy of the site server signing certificate is stored in the following registry key for 32-bit operating systems: HKLM\SOFTWARE\Microsoft\CCM\Security. It is stored in the following registry key for 64-bit registry systems: HKLM\SOFTWARE\Wow6432Node\Microsoft\CCM\Security
To remove the client copy of the site server signing certificate if you change the root certification, locate the value named AllowedRootCAHashCode (type REG_SZ) and delete the associated value data that appears as a string of hexadecimal numbers.
Alternatives to editing the client registry are the following:
- Uninstall the client and reinstall it.
- Reinstall the client using a CCMSetup
command-line option to provision the client with a copy of the new
site server signing certificate.