Hi,

 I am having more questions about SMS certificate.Can u please explain the below questions

What is the purpose of sccm client certificate under personal and two sccm certificates under SMS in Certificate store ?

We having SMS certificate expiration issue on most client machines.

How to expand SMS_def file to include SMS certificate information in Hardware inventory  ?

How to delete expired SMS certificates from  client machines?

How to renew it or will it automatically renewed from AD once GPUpdate run?

Appreciate your reply

Are you running in Native Mode?

Auto-generated certs in COnfigMgr are set to expire in 100 years, are you sure that's the issue you are having?

The two client certs are used from client authentication and client signing of data.

You can use the following to collect cert expiration: http://www.sccm-tools.com/tools/vbscript/vbscript-certificates.html

You can use a variety of tools to delete certs include the MMC snap-in, certutil, and PowerShell to name a few.

Cert renewal depends upon how you deployed them. If you used an Enterprise PKI, then yes, they will auto-renew if you have auto-renewal enabled. If they are self-signed certs generated by the client agent, then no, they won't renew. As mentioned though, you should not be having an issue with the self-signed certs expiring.

Thanks for the reply

Yes, we are running in Native node,

We found the script to delete SMS certificate from expired machines and restart SMS agent service.

http://msscadmin.wordpress.com/2013/03/18/sccm-client-certificate-removal/

Do we have any  power shell script or Vbs script to get SMS certificate expired machines instead modifying in SMS_def file.

To collect the info via ConfigMgr, you must modify sms_def.mof -- not sure what else you are expecting.

There are many different ways to directly query cert and their properties including the VBScript in that link, PowerShell, the MMC snap-in and others.

Simply deleting the cert and restarting the agent doesn't help you at all, the clients need a valid cert to communicate and in native mode only cert from a PKI are valid so you need to research your PKI implementation to figure out how to do this. There's no specific reason to delete expired cert either as they will simply be ignored.