Certificate Expiration behaviors in SCCM

Recently I noticed in my vPro SCCM lab that my remote provisioning cert was about to expire. This image was taken from my GoDaddy provisioning certificate after it had expired.
01.png
Additionally, I received an email from GoDaddy 30 days before this expiration date indicating that this cert would be expiring.  They provided instruction on how to renew this certificate.

NOTE: I received this email since I was the person on file with GoDaddy that requested this original certificate.  The contact may be another person in your organization that ordered the certificate on your behalf.  Make sure your contact forwards these emails to you to ensure you take the necessary steps to renew your certificate before expiration.
02.png

When I looked in the amtopmgr.log on my SCCM site server, I noticed that it had indicated that this provisioning certificate was about to expire. This warning was recorded daily in this log.
Error: The provisioning certificate with the thumbprint 55B7AF313A725CA10BB47A382494A3BD2927D1FB will expire in 4 day(s). Please ensure that this certificate is renewed. (CertID = 1)      SMS_AMT_OPERATION_MANAGER                11/19/2009 11:35:01 AM              2880 (0x0B40)
I decided to let the certificate expire so I could see the behavior in SCCM and help others identify this issue if their provisioning certificate expires. After the expiration date expired, I noticed the following error in the amtopmgr.log.  You will see from the log entry below that SCCM unloaded the expired certificate from memory and attempted to reload a new certificate. 
Remove unused provision certificate with hash 55B7AF313A725CA10BB47A382494A3BD2927D1FB from memory.               SMS_AMT_OPERATION_MANAGER       11/23/2009 11:35:05 AM               2700 (0x0A8C)
Since I had not yet updated SCCM Site Server with a valid certificate, an error was entered stating the certificate was invalid
Get certificate data from database.        SMS_AMT_OPERATION_MANAGER       11/23/2009 11:37:05 AM               2700 (0x0A8C)
Error: Invalid provision certificate. Check certificate binary and hash data. Check certificate validation time. (CertID = 1)       SMS_AMT_OPERATION_MANAGER       11/23/2009 11:37:05 AM               2700 (0x0A8C)

Generating a new Certificate Request and renewing Certificate on GoDaddy Web Portal
So now I needed to go and update this Remote provisioning certificate from GoDaddy to get my lab functional again.  This was the tricky part as it often is with ordering certificates from CA providers.
Since my lab is Windows 2008, the following steps listed below show the procedures to request a new provisioning certificate from GoDaddy.
I first went to GoDaddy and logged into my account that I originally setup when ordering my first provisioning certificate.  I found my original certificate in my SSL certificate section of GoDaddy and I requested to renew another year for this certificate.
After paying the required amount for this renewal, I found I had a credit for this certificate (PROSCCM001.CH1.PRODEMOLAB.COM) under Manage My Certificates.  Next to that certificate, there is now a link to Request Certificate.  The following steps were almost identical to the original request.
03.png



After clicking the Request Certificate link, I was presented with the following page.
04.png
Since this was for my lab environment, I selected the radio button Individual for the Business Type and Third Party for Certificate Hosting (option will vary per your environment).  The next section required me to generate a new CSR.  You will see a CSR Help Link from GoDaddy to walk you through the creation of the CSR file. http://help.godaddy.com/topic/746/article/4800
NOTE:  The following steps were captured from my SCCM Site server that runs on a Windows 2008 Server running IIS 7.

Generate and Submit the Certificate Signing Request (CSR)
In this example, I use my IIS server on my SCCM Site server to generate my certificate request. 

1.  On your SCCM Site server, click the Start menu and selectAdministrative ToolsInternet Services Mangaer and click theServer Name.
2.  In the center section, double click on the Server Certificates button in the Security section.

05.png


3.  From the Actions menu click Create Certificate Request. This will open the Request Certificate wizard.

06.png

4.  Enter yourDistinguished Name field information. The following characters cannot be used:
< > ~ ! @ # $ % ^ * / \ ( ) ?. This includes commas.
07.png

Distinguished Name Fields:
·         Organization: The name under which your business is legally registered. The listed organization must be the legal registrant of the domain name in the certificate request. If you are enrolling as an individual, please enter the certificate requestor's name in the "Organization" field, and the DBA (doing business as) name in the "Organizational Unit" field.
·         Organizational Unit: Optional. Use this field to differentiate between divisions within an organization. For example, "Engineering" or "Human Resources." If applicable, you may enter the DBA (doing business as) name in this field.
o   NOTE:  It is important to use the exact phrase Intel(R) Client Setup Certificate to make this a valid vPro accepted certificate
·         Common Name: The Common Name is the fully-qualified domain name - or URL - for which you plan to use your certificate, e.g., the area of your site you wish customers to connect to using SSL. For example, an SSL certificate issued for "www.yourcompanyname.com" will not be valid for "secure.yourcompanyname.com." If the Web address to be used for SSL is "secure.yourcompanyname.com," ensure that the common name submitted in the CSR is "secure.yourcompanyname.com."
If you are requesting a Wildcard certificate, please add an asterisk (*) on the left side of the Common Name (e.g., "*.domainnamegoes.com" or "www*.domainnamegoeshere.com"). This will secure all subdomains of the Common Name.
     NOTE: SCCM does NOT support wildcards.  This reference is for other ISV consoles that supports wild card certificates.
·         Country: The two-letter International Organization for Standardization- (ISO-) format country code for the country in which your organization is legally registered.
·         State/Province: Name of state or province where your organization is located. Please enter the full name. Do not abbreviate.
·         City/Locality: Name of the city in which your organization is registered/located. Please spell out the name of the city. Do not abbreviate.
5.  Click Next.

6.  In the Cryptographic Service Provider Properties window, selectMicrosoft RSA SChannel Cryptographic Provider;  then select the bit length (2048 is the minimum). Click Next.

08.png

7.  Enter a path and file name for theCSR and click Finish.

09.png

8.  Open the generated CSR file; then, using a plain-text editor, such as Windows Notepad, copy and paste the CSR into our online enrollment form.

10.png

I pasted my CSR from my text file into the field provided on the web site.


I also checked the box for “Check here, if this certificate is for Intel vPro”

They provide a link to learn more about vPro:http://help.godaddy.com/article/5260


You will see that adding the OU field of Intel(R) Client Setup Certificate is NOT required.  By checking this box, this will add the value to the certificate for you. 
KUDOS to GoDaddy for adding this simplification…applause here!
I still added the value in my CSR J old habits I guess.
11.png

Next I completed the Requestor Information and clicked Next.

I then received a confirmation window to validate my request and clickedSubmit.

12.png

Submission process is completed.

13.png

After submitting this request, the GoDaddy web site generates an email to the requesting domain administrator (me in this case) to validate this certificate request.

14.png

Next, I received and email from Godaddy stating they needed to validate my identity before processing my request.  I decided to call GoDaddy support to understand why I had to submit this information (again) since I did it the first time I requested the original certificate.  They claimed that if the original request was more than two years ago (which it was), they have to revalidate identities.
So I sent GoDaddy a copy of my driver’s license and bank statement as they requested.  Enterprise companies will need to provide other documentation for this validation step. See GoDaddy’s web site for types of documents accepted.  And when all else fails, call their support line to make sure you are providing the required information.  You can also submit this documentation online at their website although I had issues with the upload process and simply sent my information via email to their support team.
15.png


After all of these steps were completed, I noticed in the Manage Certificates section of GoDaddy, this certificate request was now showing a pending status.

16.png

You can click on the certificate to view the current status of the renewal process.  You can also get information in this window on what could be holding up the process. 
17.png

I found GoDaddy quite responsive through email when I did not provide the proper documentation (e.g. bank statement did not show the type of account).  So I resubmitted per their request to complete the process.
After the documents were received and approved by GoDaddy, I received an email stating they successfully completed the verification process in relation to my certificate request for: PROSCCM001.CH1.PRODEMOLAB.COM.
The final step in the identity-authentication process: a manual phone call from a Registration Authority (RA) associate to the number you (i.e., the requesting individual) provided when requesting the certificate.
This verification process took several days and multiple attempts to send them the proper documentation that met their requirements.  My advice is to keep in contact with their support line to make sure the process is moving.  But after three days, I finally got a phone call from them as their last verification step and received the following email indicating that my certificate had been renew….whew!
18.png



I followed the link in the email address and found the issued certificate under the “Manage Certificates.”

I selected Server Type: IIS7 as this matched the web server installed on my SCCM site server

Here are the instructions from GoDaddy on installing this SSL certificate:http://help.godaddy.com/topic/742/article/4801


NOTE: Make sure you install the proper intermediate and trusted root certificates on your server (which will all ready exist if this is a simple renew of the old certificate).  GoDaddy sends additional intermediate and root certs that are not valid for vPro provisioning.  The steps provided in there installation instructions do not use the proper root certificate that contains the proper certificate hash for vPro systems. 

Here are the steps you can follow to ensure you have the proper certificates.


19.png
20.png


Downloading and Installing the renewed Certificate
After you download the file from GoDaddy, you will need to unzip the file and import the provisioning certificate back into IIS to repair the private/public keys.

After I downloaded the certificate from GoDaddy (zip file), I unzipped the files and noticed I had two files.

This first file can be ignored as it contains an intermediate and root certificate that is not applicable to vPro.

The second file is the vPro Provisioning Certificate and contains the proper intermediate and Root certificate for vPro provisioning.  I saved this file to a location on my server.

21.png



On your SCCM Site server, click the Start menu and selectAdministrative Tools >Internet Services Mangaerand click the Server Name.

In the center section, double click on the Server Certificates button in the Security section.

From the Actions menu clickComplete Certificate Request. 



22.png

I located the provisioning certificate I saved from the zip file I received from GoDaddy and provided and friendly name for this certificate.

23.png

After the wizard completes and imports this certificate, you will see the vPro provisioning certificate listed in IIS
24.png


Validating the vPro Provisioning Certificate
Now that we have imported the certificate from GoDaddy back into our SCCM site server, let’s take a look at this certificate and make sure it contains the required parameters to make it a useable vPro Provisioning Certificate. 

Type mmc in the Start search box after pressing the Start menu to start the Microsoft Management Console (MMC).

In the Management Console, select File then Add/Remove Snap In.

In the Add or Remove Snap-ins dialog, click the Add button and then select Certificates.

Choose Computer Account then click Next.

Choose Local Computer, then click Finish.

Expand Certificates > Personal > Certificates.

Locate the renewed vPro Provisioning certificate that you just imported.

25.png

Double Click this certificate so you can validate this is the proper certificate and “chains” to the proper Root certificate for vPro Provisioning.

First note this certificate has a Valid date for this certificate.

26.png

Click the Details Tab and Select Subject.

Make sure the OU = Intel (R) Client Setup Certificate

27.png

Click the Certificating Path Tab and Double Click the Top Level Root Certificate >GoDaddy Class 2 Certification Authority (this should be the name of this top level root certificate)

28.png

With this Root Certificate open, Click the Details tab and ensure the Thumbprint listed is one that is contained in the vPro MEBx firmware  (the one shown in this image is the proper GoDaddy thumbprint - ending in ee e4).

29.png


Exporting the Certificate for use in SCCM OOB Service Point
Now that we have validated that we have the proper provisioning certificate installed on our SCCM Site Server, we now must export this certificate from the certificate store as a .pfx file (including the private key) so we can use within our SCCM OOB Management Service Point.

Go back to the MMC and Right
Click on the renew provisioning certificate and select All Tasks > Export

NOTE: Ensure this is the new valid certificate and not the expired one from your original environment as this expired certificate will still be installed on your server.

30.png

The Export Wizard will prompt you for exporting your certificate.

31.png

Choose “YES” to export the private key and click Next

32.png

Choose “Personal Information Exchange” for the file format type and also check the box for “Include all certificates in the certification path if possible”

This will pull in the GoDaddy Intermediate and Trusted Root Certificates.

33.png

You will prompted to a password to protect this file and the associated private key.

Remember this password as it will be required when installing this certificate into SCCM OOB Management Service Point

34.png

Select a location to store this .pfx file

35.png

The Wizard will show you the details of this file and once you click finish it will show you that you successfully exported the file.


36.png
37.png


Update SCCM Service Point with Renewed Certificate
Now that you have an updated certificate on your site server and exported it as a pfx file, you now need to update the OOB Service Point on your SCCM Site server.

In the Configuration Manager console, navigate to System Center Configuration Manager > Site Database > Site Management > Site DB > Site Settings > Component Configuration

Right-click Out of band management component, and click Properties

Under the Certificates section for Provisioning Certificate, click the Browse Button

38.png

Browse to the .pfx file that you exported from the previous step and enter the password for this file

Click OK and then Apply in the OOB properties window

39.png


After applying the valid provisioning certificate, you will now see a message in the AMTOPMGR.log; Found new provision server certificate with hash…  and you will no longer see the Error entry for the Invalid provision certificate as originally noted when the original certificate had expired. 

Now SCCM can properly provision vPro systems with this renew provisioning certificate.


40.png

If you are monitoring your SCCM logs and emails from GoDaddy, you will avoid your provisioning certificate from expiring.  But if this does occur, you now know what it will look like and how to correct this issue.
If you have any questions regarding any of these steps or have input to improve/simplify these steps, please post your comments here.  Thanks!