First published on CloudBlogs on Jun 09, 2015
Update June 2017:
The latest authentication certificate can be found here: https://support.microsoft.com/en-us/help/3207852/update-for-authentication-certificate-in-system-cen....
When the Configuration Manager Asset Intelligence synchronization point first connects to System Center Online, it presents the System Center online authentication certificate to enroll in the service. This is a public certificate that is used by all Configuration Manager installations. As part of the enrollment process, the service returns a certificate that is specific to that Asset Intelligence synchronization point. This specific certificate is then used for subsequent activity when Asset Intelligence synchronizes with System Center online, for example, when it uploads and downloads software titles.
The public certificate for System Center online authentication was distributed by Microsoft for Configuration Manager 2007 Service Pack 1 and it was automatically installed and configured starting with Configuration Manager 2007 Service Pack 2 and continuing with System Center 2012. The public certificate currently has a validity period of 3 years and an expiration date of 6/19/2015. It was issued by an issuing certificate with an expiration date of 5/29/2015. The expiry date of the specific certificate is based on when it was issued. It has a validity period of 1 year. The validity dates can be viewed in the certificate properties using Certificates MMC Snap-in.
Because the issuing certificate for the public certificate for System Center online authentication has now expired, the public certificate will be rejected by System Center online. The specific per-installation certificates for customers will expire based on when the Asset Intelligence synchronization point first connected to System Center online. Because you cannot automatically renew the specific per-installation certificate when either the public certificate for System Center online authentication or its issuing certificate has expired, you must take manual steps to renew your public certificate. If you do not renew your public certificate, you will no longer be able to synchronize with System Center online when your specific certificate expires. You will also not be able to add a new Asset Intelligence synchronization point.
If neither the public certificate nor specific certificate are valid you will see the following entries in the AIUpdateSvc.log when the Asset Intelligence synchronization point attempts to renew the specific per-installation certificate.
Asset Intelligence Catalog Sync Service Warning: 0 :
WebException trying to enroll: Status = ProtocolError
Asset Intelligence Catalog Sync Service Error: 0 :
Exception attempting sync - The request failed with HTTP status 403: Forbidden.
You may also see the following errors on the Asset Intelligence home page in the Configuration Manager console as shown below.
System Center 2012 Configuration Manager: “
Expired credentials/certificate/token. Need to re-provision online account.”
Configuration Manager 2007: “
Connection Failed - bad certificate”
To renew your certificates for Asset Intelligence, you must first obtain an updated public certificate for System Center online authentication. When this updated certificate is installed, your specific certificate will automatically renew.
How to Update the Certificates for Asset Intelligence