We have ConfigMgr 2012 R2 SP1 deployed with over 200 distribution points and around 45000 clients. The environment is configured for HTTPS or HTTP, and a Root CA is specified in the settings. (Clients use PKI certificate when available)
Our Offline Root CA was recently migrated from server 2008R2 to 2012R2.
Our client certificates have the following Path:
- OFFCA01 (offline CA)
- CS01 (Issuing CA)
- Client Certificate
Our offline CA cert is imported into SCCM for client authentication etc. During the migration, the Offline CA thumbprint was changed. As a result, 'New' devices are now untrusted and end up with Client = No in the console.
Existing devices are continuing to function as per usual, as they still have the old cert (there has not been a forced re-enrollment).
How do I remedy this? I can't import both OFFCA's into Site Settings. Both OFFCA's are already in Trusted Root Certification Authorities and Intermediate Certification Authorities.
If I update SCCM's config to the new OFFCA then all the existing clients will not function until they receive a new certificate. There is also the impact of updating all the DP certificates and IIS certificates too.
Why can't SCCM trust both certificates?