PENDING Device cannot connect due to PKI error

[MMaa]

Hi,

I have my Site configured for HTTPS with 3 trusted CAs (RootCA, SubCA1, SubCA2). All clients auto enroll for a Client Auth Cert from SubCA1 and register correctly.

One device (SubCA2 itself) does not register because the client picks the longest Cert available which is the SubCA2 CA Certificate.
When using that certificate for client registration it fails. I have also tried issuing a client auth cert, that is valid longer than the SubCA2 CA Certificate, signed by the RootCA. Still no registration.
So apparently my DP does not accept registration with a certificate that is only signed by the RootCA. However the RootCA Cert is in the list inside of HTTPS Configuration in MECM and also in the Trusted CA Store of the MP itself.

The CMHTTPSReadiness Check works fine and says client is ready for https. It correctly picks the certificate i want it to use.

Locationservices.log:

Client doesn't have PKI issued cert and cannot get CCM access token. Error 0x8000ffff LocationServices 24.02.2026 11:16:45 4796 (0x12BC)
[CCMHTTP] ERROR: URL=https://<MP FQDN>/SMS_MP/.sms_aut?SMSTRC, Port=443, Options=31, Code=0, Text=CCM_E_NO_TOKEN_AUTH LocationServices 24.02.2026 11:16:45 4796 (0x12BC)
[CCMHTTP] ERROR INFO: StatusCode=403 StatusText=Forbidden LocationServices 24.02.2026 11:16:45 4796 (0x12BC)

CcmMessaging.log:
Post to https://<MP FQDN>/ccm_system_windowsauth/request failed with 0x87d00231. CcmMessaging 24.02.2026 11:24:46 4796 (0x12BC)

inetpub Log on MP (W3SVC1)
2026-02-24 10:24:46 W3SVC1 <IP of MP> CCM_POST /ccm_system/request - 443 - <IP of Client> ccmhttp 403 16 2148204809 1417 8
2026-02-24 10:24:46 W3SVC1 <IP of MP> CCM_POST /ccm_system_windowsauth/request - 443 -<IP of Client> ccmhttp 403 16 2148204809 1417 9