ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Error: "Cannot issue certificate...there is no registered master certificate with the specified name" when generating CEM agent packages

book

Article ID: 161534

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

When trying to create a CEM package, the package creation fails specifying "cannot issue certificate at this time because there is no registered master certificate with the specified name."

Failed to generate package.  Cannot issue certificate at this time because there is no registered master certificate with the specified name

Cause

The agent CA is missing from the trusted root certificate store.  See the following screenshots

Resolution

When the server is installed and configured an agent CA certificate is created.  If you have a backup copy of this certificate you can restore it and make sure that the thumbprint in the certificate matches the thumbprint stored in the registry.  You can view the thumbprint in the certificate using the Microsoft Management Console and loading the certificate snap-in.  Open the certificate and look at the details tab and validate the thumbprint matches the one in the registry location below. 

HKEY_LOCAL_MACHINE_SOFTWARE\Altiris\eXpress\Notification Server\CA\Agent\Thumbprint

The thumbprint in the registry should match the thumbprint of the Agent CA certificate located in the trusted root certificate store.  If the certificate is missing from the store you will see the error.  If you have a backup of the certificate you can restore it and it should work.   If you dont, you will have to run aexconfig and reconfigure the server to generate a new one.   This will create a new certificate.  However,  If this is an existing environment you will have to put this new certificate on any existing machines.  Any existing CEM machines would have the old certificate and will to have this updated certificate. 

The certificate you restore should match the one in the registry.

 

 

It is a good practice to backup and store in a safe place the the following certficates with the private keys after installing an SMP

SMP-"Your SMP's FQDN name"-Agent CA

SMP-"Your SMP's FQDN name"- Server CA

Any certficates bound to the default and symantec agent website.

Applies To

 

 

 

 

ITMS 7.5 SP1

 

 

Attachments