SOLVED SCCM self signed certificates

[delta4]

Hi,

I have configured my lab to work on HTTPS using PKI including SQL. However, I keep seeing 2 self signed certificates on the primary site under the personal store for the computer account shown in the screenshot below:
-SMS Token Signing Certificate
-ConfigMgr SQL Server Identification Certificate


I have tried deleting both these certs, however they get recreated automatically.

Could someone advise on why these 2 certificates are needed and if I could block them from being created on the primary site?

 

[Youssef Saad]

By default, SCCM creates in the first installation his self-signed certificate, if you are switched to HTTPS mode (IIS certificate, DP certificate, client certificate...), you can ignore the self-signed certificates in the Personal store, I think the reason why the self-signed certificates are recreated because you may return one day in HTTP mode.

 

[delta4]

Thank you for your reply. i can’t find what these certificates are being used for on the documentation. My environment is working completely on HTTPS and removing these certs has no effect as SCCM recreates them perpetually. The issue with having these 2 certs in the personal store is security might flag them as violations.
Is there a way to get rid of them for good?

 

[Sam Banford]

If you're STIGing that server and are concerned about the OS and PKI checks, those make exceptions for "server-based applications that have a requirement for certificate files.". Those checks have more to do with users bringing in outside certificates or making their own that side-step your approved certificate authority infrastructure.

If you're not STIG'ing and no no idea what I'm talking about then I guess this is some corporate policy and you're just going to need to explain to your security people what it's for and how it's not in use.