Hero Banner

Products Discussions

Share best practices and get the latest Microsoft product info

Reply
Visitor 1

Azure AD Connect certificate issued by Microsoft PolicyKeyService CA

Hi,

We just got a certificate lifespan alert via SCOM. Certificate issued by Microsoft PolicyKeyService Certificate Authority seems to be expiring soon on a server where Azure AD Connect is configured. This certificate seems to be linked to Azure AD Connect Health Monitoring services, am I right? There are two certificates on that server issued by that same certificate authority, and it seems like this certificate have been renewed automatically. Please, see attached screenshot.

So, my question is that does this certificate require any manual steps to renew it or is everything taken care of automatically? Is there any way to verify that everything will be working normally after the expiration date has passed?

Thank you!

Kind regards,
Olli

2 REPLIES 2
Visitor 1

Re: Azure AD Connect certificate issued by Microsoft PolicyKeyService CA

We have a similar problem where a SCOM monitor is alerting because the certificate's trust chain is not complete. Can we get ahold of the whole trust chain? I guess it's possible to remove the certificate since we don't use Azure AD Connect Health Monitoring, but I'm pretty sure that will bite back eventually if we update AAD Connect or start to use AAD Connect Health Monitoring in the future.

 

Alert description: The certificate is not valid. Reason:
PartialChain: A certificate chain could not be built to a trusted root authority.

Certificate Subject: CN=<Server name>, CN=<CN>, OU=Microsoft ADFS Agent
Certificate Issuer: CN=Microsoft PolicyKeyService Certificate Authority
Serial number: <Serial number>
Store Name: Personal

Store Key: My
Store Provider: SystemRegistry
Store Type: LocalMachine
Monitoring User: NT AUTHORITY\SYSTEM

Chain Details:
--- Certificate Status ---
PartialChain: A certificate chain could not be built to a trusted root authority. 

Highlighted
Microsoft

Re: Azure AD Connect certificate issued by Microsoft PolicyKeyService CA

The actual connector trust will be renewed regularly meaning a new client cert will be generated. Because the connector is running under Network Service, it will be saved under Network Service’s Personal Store. However those old certs are not removed automatically. 

Any cert issued by the service for the AAD Connect / Connect Health Service will be auto-renewed when needed.