How to Configure the Policy Module to Use a New Client Certificate in Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

Servers that are running the Configuration Manager Policy Module with the Network Device Enrollment Service role service use a client certificate to authenticate the Policy Module to the certificate registration point site system server in System Center 2012 Configuration Manager. Typically, a client authentication certificate is valid for one year. Before the certificate expires, renew it, update the registry for the new certificate, and then restart the web server that runs the Network Device Enrollment Service.

Note

If the certificate has already expired, “ERROR("Failed to send http request <thumbprint>. Error 12037", appears in the NDESPlugin.log file on the server that runs the Network Device Enrollment Service. In the error message, <thumbprint> is replaced with the certificate thumbprint of the expired certificate.

To renew the certificate:

After the new certificate is deployed on the server that runs the Network Device Enrollment Service and the Configuration Manager Policy Module, use the following procedure to configure the server to use the new certificate.

To configure the Policy Module to use the new client certificate

  1. On the server that runs the Network Device Enrollment Service and the Configuration Manager Policy Module, open the registry editor and replace the old certificate thumbprint with the new certificate thumbprint by using the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\Modules\NDESPolicy\NDESCertThumbprint.

    Tip

    To identify the thumbprint for the new certificate, locate the certificate in the Computer store by using the Certificates snap-in. Then, right-click the certificate, click Properties, click View Certificate, click the Details tab, and then scroll and select Thumbprint. You will then see and be able to copy the string of hexadecimal characters that is the certificate thumbprint for this certificate.

  2. Restart the services for the web server by using one of the following methods:

    1. From Internet Information Services (IIS) Manager: Browse to the web server node in the tree. In the Actions pane, click Restart.

    2. From the command line: Type iisreset /restart and press Enter.

    For more information, see Start or Stop the Web Server (IIS 8) in the Windows Server library on TechNet.

You can confirm that the Policy Module is using the new certificate by checking for the following entry in the NDESPlugin.log file on the server that runs the Network Device Enrollment Service: INFO("NDES thumbprint is <thumbprint>.", wszBuffer);