[Yvette O’Meally has provided today’s post]

When the Configuration Manager 2007 Asset Intelligence synchronization point first connects to System Center Online, it presents the System Center online authentication certificate to enroll in the service.  This is a public certificate that is used by all Configuration Manager 2007 installations.  As part of the enrollment process, the service returns a certificate that is specific to that Asset Intelligence synchronization point. This specific certificate is then used for subsequent activity when Asset Intelligence synchronizes with System Center online, for example, when it uploads and downloads software titles.

The public certificate for System Center online authentication was distributed by Microsoft for Configuration Manager 2007 Service Pack 1 and it was automatically installed and configured with Configuration Manager 2007 Service Pack 2. In both cases, this certificate has a validity period of 3 years and an expiration date of 4/25/2011.  The expiry date of the specific certificate is based on when it was issued. It has a validity period of 1 year. The validity dates can be viewed in the certificate properties using Certificates MMC Snap-in.

Because the public certificate for System Center online authentication has now expired, it will be rejected by System Center online.  The specific per-installation certificates for customers will expire based on when the Asset Intelligence synchronization point first connected to System Center online.  Because you cannot automatically renew the specific per-installation certificate when the public certificate for System Center online authentication has expired, you must take manual steps to renew your certificate before it expires. If you do not renew your certificate and it expires, you will no longer be able to synchronize with System Center online.

If both the public certificate and specific certificate have expired you will see the following entries in the AIUpdateSvc.log when the Asset Intelligence synchronization point attempts to renew the specific per-installation certificate.

Asset Intelligence Catalog Sync Service Warning: 0 : Tue, 26 Apr 2011 04:51:58 GMT:WebException trying to enroll: Status = ProtocolError
Asset Intelligence Catalog Sync Service Error: 0 : Tue, 26 Apr 2011 04:51:58 GMT:Exception attempting sync - The request failed with HTTP status 403: Forbidden.

 You may also see a 'Connection Failed - bad certificate' error on the Asset Intelligence home page in the Configuration Manager console as shown below.

To renew your certificates for Asset Intelligence, you must first obtain an updated public certificate for System Center online authentication. When this updated certificate is installed, your specific certificate will automatically renew.

How to Update the Certificates for Asset Intelligence

• Configuration Manager 2007 Service Pack 2: Install hotfix KB2483225. This hotfix installs the updated public certificate for System Center online authentication and no further action is required. As part of the hotfix installation, the updated certificate is configured for the Asset Intelligence synchronization point and your specific certificate will be automatically renewed.  For more information about this hotfix, see http://support.microsoft.com/kb/2483225/en-us.
• Configuration Manager Service Pack 1: Obtain a certificate file and manually configure the Asset Intelligence synchronization point to use the updated public certificate for System Center online authentication. Use the following steps:
  1. Email ai-cert@microsoft.com to request a certificate file that contains the updated public certificate for System Center online authentication.  Please note that this alias is for certificate distribution only and not for support questions.
  2. Store the certificate file in a location that is accessible to the site server.
  3. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database (<site code> - <site name>) / Site Settings / Site Systems.
  4. Click the Asset Intelligence Synchronization point site system computer name.
  5. Select the Asset Intelligence synchronization point, and click Properties.
  6. On the General tab of the Asset Intelligence Synchronization Point Properties, specify the path to the new System Center Online authentication certificate (.pfx) file, and click OK.

 For additional information about the Asset Intelligence synchronization point, see the following topic in the Configuration Manager 2007 Documentation Library: About the Asset Intelligence Synchronization Point.

 -- Yvette O'Meally

This posting is provided "AS IS" with no warranties and confers no rights.