SCCM | Renew CMG Certificate

With the pandemic forces companies to allow users to work at home, technologies such CMG (Cloud Management Gateway) has become more popular for administrator to keep end user devices under control.

Technologies such as CMG allows users to use their device without the need of a VPN for SCCM related workloads.

As with most services offered of the public internet, certificates are key security point within the CMG service. As we know, certificates have a validity period and must be renewed once the certificate is coming to the end of the period or has expired.

The steps below will cover how to renew the CMG external certificate. This certificate can either be generated from an internal CA or from an external CA provider such as GlobalSign.

How to know when your certificate is expiring

As with most certificates, a quick and easy way to check on the validity is to either navigate to the site where the certificate is in use or open the certificate on a machine. The same process works for CMG, navigate to your service URL which might be something like: HTTPS://CMG.COMPANY.COM

Select the certificate information usually found next to your URL bar and expand the details. A new window will appear which will show you the validity period.

The other method you will only see once the certificate has expired as this generate error’s in the CCMMessaging.log on an internet client. This log can be found in the C:\WIndows\CCM\Logs directory.

Another error can be seen in the CloudMgr.log on the server side. This error will state that the certificate is in an expired state.

How to renew the certificate

Renewing the certificate is relatively straight forward and mostly carried out in the console. The steps below will assume you already have your new certificate in a .PFX file and have copied it to your primary site server.

  1. Open the console and navigate to Administration > Cloud Services > Cloud Management Gateway
  2. Right click on your gateway and select properties
  3. Under the ‘Settings’ tab your see your current certificate and an option to browse for a new one
  4. Selecting ‘Browse’ locate your new PFX certificate and enter the password for the certificate if required. Select ‘Ok’ to save the settings
  5. Now that we have our certificate saved, it now needs to be synchronized with Azure. Right-clicking on the gateway again, select ‘Synchronize Configuration’
  6. All being well the gateway will update your Azure platform and change to status ‘Ready’
  7. If your not sure or having any issues, check the CloudMgr.log on the server side for more information
  8. As a last step, depending on if your certificate had expired or if renewing before hand; internet clients will need to update the client policy without any errors before they can use the new certificate. Bear this mind as users may need to connect to the corporate network before being able to work via internet.
Featured Image Photo by Tim Mossholder from Pexels

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.