Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

Expired CRL can break Provisioning in SCCM

William_Y_Intel
Employee
1,528 Views

This is not a new problem, but I have worked with several customers lately that have come across this issue so I thought it would be worth posting again.

The customer has a SCCM SP2 environment, single domain, multiple primary sites, and a 2 tiered PKI environment (Root and Issuing CA). The provisioning process would kick off, but they kept getting the following error in the AMTPROXYMGR.log

ERROR: CertCreateCertificateContext failed: 0x80093102, msg=ASN1 unexpected end of data. SMS_AMT_PROXY_COMPONENT 3/7/2011 4:24:28 PM 2160 (0x0870)

 

Error: CTaskRequestClientCert::RevokeExistedCertificate failed to get serial number from the certificate binary. SMS_AMT_PROXY_COMPONENT 3/7/2011 4:24:28 PM 2160 (0x0870)

Since SCCM leverages Web certs to encrypt all management traffic, the SCCM server must be able to request and validate the web certificate from the internal PKI environment for each of the vPro systems SCCM provisions.

I had them check the SCCM server had access to the CRL Distribution Point (CDP) to view the CRL and that the CRL was valid (that is not expired).

I asked them to go to the PKI issuing server to see if a web cert was being requested for the vPro system that SCCM was attempting to provision. They found the certificate in the Issued certificate store on the PKI server. I asked them to validate the CDP on the intermediate store to ensure they had access to the location. I also asked them to access that location to see if they could view the CRL on that distribution point. Once they validated they could access the CDP and see that the CRL was valid on the CDP, I asked them to perform the same function on the CDP for the Root CA.

What we found out was the Root CRL on the CDP was expired. This is what was causing the issue. Once their PKI administrator updated the CDP with a valid Root CRL, the provisioning process worked without an issue.

So if you see this error message above, this is a good place to start your investigation.

Thanks,

Bill

0 Kudos
0 Replies
Reply