Forum Discussion
AdminService REST API keeps resetting PKI cert
Greetings all,
I have a ConfgMgr (2403) Provider that I am trying to bind an internal PKI certificate to for the AdminService. This provider is a dedicated machine and does not have IIS installed, so following the MS docs I use NETSH to bind the PKI cert.
It then works for around 5 minutes before the SMS_REST_PROVIDER.log shows the service doing a "health check", deleting the PKI cert completely from the server and then rebinding the self-signed SMS Issuing cert.
I have to reissue the internal PKI cert and rebind it and then have it deleted a few minutes later.
Does anyone have any thoughts/suggestions about what I might be missing or what is happening here?
Thanks
Scott
My "solution" for the moment is to export the SMS Issuing cert from the CM Console and install it into the "Trusted Root" store on the machines I need to connect to the API from.
I can't find any way to persist the PKI cert, so I may need to raise a case with Microsoft to resolve.
3 Replies
I've already unbinding the existing cert and "adding" as well as "updating" and checking the binding is correct. When I bind my cert it all works as expected until the next health check.
Every 10 minutes the REST PROVIDER will reset it back to the SMS Issuing certificate. When it does it doesn't just unbind the PKI cert, it completely *deletes* the PKI cert from the certificate store.The SMS Provider is working correctly in all other aspects
Steps I have tried- deleting existing binding before adding new cert
- add cert using same appid (0000000...)
- add cert using new appid
- disable issuing cert "purpose" in MY and SMS stores
- It still used the cert and rebound it
- deleting the self-issued cert from MY and SMS stores
- It fails to bind (as expected) and reports an error but leaves the PKI binding in place
- It still reports the service as "healthy"
- The self-signed cert is eventually re-issued and bound again after around 30 minutes
My "solution" for the moment is to export the SMS Issuing cert from the CM Console and install it into the "Trusted Root" store on the machines I need to connect to the API from.
I can't find any way to persist the PKI cert, so I may need to raise a case with Microsoft to resolve.
Hi Scott,
All seems fine regarding the implementation. Due to the fact that the provider is insisting on using the self signed certificate, it look likes the binding with the self signed certificate is still there and the provider is not considering the changes you're doing. I recommend that you do as follow:
- manually unbind the self signed certificate to port 443 : netsh http delete sslcert ipport=0.0.0.0:443
- Redo the binding with your internal cert
Let me know when done
Maher
