SCCM Plug-in installation--certificate issues?

stevehahn
Contributor

Hi all--I've found some mention here of certificate issues with the SCCM plug-in, but nothing for the issue I'm running into. I'm following the article posted here, and I'm on Step 4: Register the ISV Proxy Certificate with SCCM (I'm using our AD certificate authority).

  • I created the ISV certificate on our management point server, not our central admin server (since I plan to install the proxy service on the MP)
  • I copied the cert to our CAS and tried to import it in the SCCM console, and I get this error: "The certificate selected is already being used on this site server (boot media, PXE server, ISV proxy certificate)."

I'm wondering if what is messing me up is that I'm intending to install on a management point, not the CAS? It seems like maybe the instructions are geared toward installing the proxy service on either the CAS or some other Windows box that is not in the SCCM hierarchy. Any ideas?

4 REPLIES 4

drhoten
Contributor II
Contributor II

Hi Steve -

It sounds like it could be two different things going on.

  1. There is already a certificate in SCCM which has the same subject name or 'issued to' property. We've seen this is a couple of cases, where there is already a certificate with the fully qualified domain name of the Management Point server in SCCM listed in the 'Issued To' column, but the type is not 'ISV Proxy'. This will depend on your specific configuration, but If this is the case you may need to install the proxy service on a different machine.
  2. Assuming you are using a PKI for issuing your certificates, then it could also be that the Signature hash algorithm of the certificate is not SHA1 or SHA2 which is a requirement for SCCM. We've seen misleading errors occur when trying to import certificates that don't meet SCCM requirements.

Based on the KB article you linked to, it appears you are using an older version of the plug-in. There is a newer version now available that eliminates the need of installing any certificates on the JSS server, and does not need to be re-installed on the JSS server after upgrading the JSS. The KB article configuring the certificates for that version is https://jamfnation.jamfsoftware.com/article.html?id=371.

I hope this helps, and if you need more assistance reach out to support and ask to be put in touch with Lois the topic specialist for the plug-ins.

Doug

ajacks88
New Contributor

Running into the same issue, did you find a solution?

nojp
New Contributor

My fix for this issue was to login to SCCM DB server and run this SQL query against SCCM DB:

"select * from ClientKeyData where Thumbprint = 0x<cert_thumbprint>"

Where <cert_thumbprint> is the thumbprint of your ISV certificate. I had to type mine in manually as copying and pasting from the cert window gave weird SQL query errors.

After I did this there was a single object with that cert thumbprint, which I needed to remove to be able to register the ISV again correctly. So I ran this SQL:

"DELETE from ClientKeyData where Thumbprint = 0x<cert_thumbprint>"

This freed up the ISV cert and I was able to re-register the ISV to make the JAMF SCCM plugin work again. I am running into other issues now though, hopefully this helps though!

nojp
New Contributor

As a follow up - the issue in my case with this was that when you issue the ISV cert to your JAMF proxy server, by default SCCM sees it as a new certificate for the server (assuming you install SCCM on servers). The client then re-registers with the site with the new cert before you can import it, and the generic function the ISV import dialog is using is searching ALL client key data for the certificate - despite what the error message says.

One workaround for this is to re-issue your normal SCCM client cert on the server after you enroll in the ISV cert, to force another re-registration and "free" the certificate from being "in use" again.