Issue with CCMCERTISSUERS usage/description

[marcusholland]

The mention of commas needs to be removed (or verified), in "Attributes can be separated by a comma (,) or semi-colon (;)."

Two reasons for this:

• In the given example of a CA DN, the usage of the comma in this last value is mixing delimiters e.g. CCMCERTISSUERS="CN=Contoso Root CA; OU=Servers; O=Contoso, Ltd;". Mixing delimiters is bad form, right?
• The commas do not work!

We recently opened a premier support request on odd behaviour we were experiencing with the CCMCERTISSUERS declaration. CCMSETUP was not able to select our client certificate, even though we had the CCMCERTISSUERS value correct e.g.

CCMCERTISSUERS="CN=Trimble-SC-CA,DC=trimblecorp,DC=net"

We had been using this parameter format (with commas) for some time and suddenly it no longer worked. After many weeks with premier support, the engineer found that swapping to semicolons resolved the issue, which cost us many premier support hours. Why this changed for us we never got to the bottom of, but certainly, commas do not work. In fact, it may be worth noting somewhere in this article that the client installation properties in the SCCM console can override those specified in the command line e.g. when changing CCMCERTISSUERS to semicolons in the client installation properties, it resolved the issue for us. Using semicolons in CCMCERTISSUERS at the CCMSETUP command line showed no changed in behaviour, and this is why it took us so long to track it down. We tried but commas and semicolons at the command line, but neither worked until we changed the client installation properties parameter to use semicolons.

If you wish to reference the support case, please let me know. I would be very interested in another opinion on this, as I do know what we have been using commas successfully for this parameter in the past, but, consider the last value in your example, this actually doesn't make any sense. Which is correct? It would be simplest to only mention semicolons.

Thanks, Marcus.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 0f14a23d-3ca2-0cc9-8fe2-8e5f21d618c7
• Version Independent ID: c2593fb4-2bb7-c645-e9fe-873dbeda2b45
• Content: Client installation parameters and properties - Configuration Manager
• Content Source: sccm/core/clients/deploy/about-client-installation-properties.md
• Product: configuration-manager
• Technology: configmgr-client
• GitHub Login: @aczechowski
• Microsoft Alias: aaroncz

[aczechowski]

Hi @marcusholland, sorry for not responding sooner. We moved this content to a new GitHub repository, so this issue is no longer tracked with the original article. If you still have information about the Premier case, I can try to track that down. (Or the name of your TAM or the Premier/support engineers working the case.) Honestly, it's probably best to file product feedback on this issue. I can check back with engineering if something changed to drop comma delimiters. To one of your questions, it's not really mixing delimiters, because the comma is in one of the strings Contoso, Ltd.

As to the last point...I think there's a prioritization of properties, which also includes the previously used properties that might be saved in the registry. If anything that's probably what needs to be added. I'll see if I can track that down.

[marcusholland]

Thanks for your suggestions @aczechowski, I will leave product feedback, as I believe this is still a bit ambiguous.

Our premier case details are below:

• Case #: 18102790
• Created on: Thursday, January 2, 2020
• Description: CCM setup.exe installer to install the clients is no longer working. Unable to recognize the client certificate. Customer tried multiple parameters, there was no recent change of build.

And yes, you're correct, there is a prioritisation of properties - we found that the site client push installation properties were overriding everything else (and were the source of our problem). It wasn't till we corrected these, that they all began working as expected. Again, this was something that was never changed previously at our end, so behaviour somewhere had changed.

Thanks again for your response and support, it is greatly appreciated! Have a good one :-)

[aczechowski]

Thanks Marcus, I'll try to track down some details for that. Please do file a frown, provide version details and logs if you have them. (We can try to get from the Premier case as well.) The response from engineering is that the code there hasn't changed for years, so on the surface not sure why the errors would occur. Because of that, I'm going to close this doc issue. The current understanding is that it should function as documented, if it's not then it's something environmental or a product bug.

[aczechowski]

@marcusholland FYI, an escalation engineer we work with was able to repo the issue, and we filed a bug. Thanks again for the feedback. 😄

[marcusholland]

@aczechowski you're welcome! Thank you too sir for your support! Much appreciated :smile_cat: