How to Check and Verify ConfigMgr SCCM Mixed Mode Certificate Details Endpoint Manager. We need to have proper certificates to Authenticate and Encrypt the data flow between ConfigMgr clients and Management Point (Even in Mixed mode).
Sometimes, we need to play with certificates to resolve client authentication and registration issues. The following steps would be useful to fix that kind of issue.
Latest Post – Free ConfigMgr Training Part 2 | 20 Hours Of Technical | SCCM HTMD Blog (anoopcnair.com)
How to Check and Verify ConfigMgr SCCM Mixed Mode Certificate Details Endpoint Manager
The following topics are covered in this post how to Check and Verify ConfigMgr SCCM Mixed Mode Certificate Details Endpoint Manager.
- SMS certificate Store Details (MMC)
- Export certificates
- Import Certificates
- Certificates stored folder location in windows explorer or in the file system
- Find the location and name of the private key file associated the certificates
SMS certificate Store Details (MMC)
Launch MMC (mmc.exe) and Click on File —> Add/Remove Snap-in
Select Certificates from Available Snap-ins and click on Add button
Select “Computer Account” and click NEXT
Select Local Computer and click on FINISH
Click OK on the “Add or Remove Snap-ins” window
Here are the TWO certificates, “SMS Signing Certificate” and “SMS Encryption Certificate,” used for Authentication and Encryption.
Export certificates
You need to right-click on the certificate All Tasks – Export….This will open up Certificate Export Wizard.
Select “Yes, export the private key” and click “Next.”
Select Export File Format” page, “Personal Information Exchange – PKCS #12(.PFX)” and click NEXT (Even, you can select INCLUDE and EXPORT checkboxes mentioned in the below screenshot)
Type in the password on the Password window and click NEXT
On the “File to Export” page, enter the file name you wish to store the exported certificate. Please do not give it an extension. Click NEXT
Click on FINISH
Import Certificates
Right Click on “Certificates (Local Computer)” –> “SMS” -> “Certificates” –> All Tasks –> Import
On the “Welcome to the Certificate Import Wizard” page, click “NEXT.”
Browse through and provide the path of the certificate export file you are importing, and click “NEXT.”
Enter the password that you used in the export process, check “Mark this key as exportable. This will allow you to back up or transport your keys at a later time”, and click “NEXT.”
“Place all certificates in the following store” should already be selected, and the Certificate store value should already say “SMS.” Click “NEXT”
Click FINISH
Certificates stored folder location in windows explorer or in the file system
Windows 2008 R2 servers – “C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys”
Windows 7 workstations – “C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys”
Note – Both SMS certificates are stored in the 19cf* Machine Key files.
Find the location and name of the private key file associated with the certificates
FindPrivateKey.exe tool can be used to find out those details.
Syntax and examples of FindPrivateKey.exe in the following MSDN link.
Download FindPrivateKey.exe HERE
Author
AnoopisMicrosoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
