Clients, Internet GateWay and SiteServers fail to enroll to the Notification Server and errors like the following are seen:

"6/3/2015 11:38:43 AM","Unable to get the server certificate response XML associated with the specified request (Exception: System.ArgumentNullException: Value cannot be null.
Parameter name: certificate
   at Altiris.NS.Security.Cryptography.CertificateManager.GetCertificateAsPEM(X509Certificate2 certificate)
   at Altiris.Web.NS.Agent.GetServerCertificate.GetServerCertificateXml())
**CEDUrlStart** :http://entced.symantec.com/entt?product=SMP&version=7.6.1383.0&language=en&module=jEOt10kGEE7SPU/YdqchkDEaaPxk41aqY+1MgKQyjzKuYEtz/sp6FXsAvE8WC2Uf&error=1173783352&build=**CEDUrlEnd**","Altiris.Web.NS.Agent.GetServerCertificate.GetServerCertificateXml","w3wp.exe","316","Errors"

"6/3/2015 11:19:06 AM","Unable to get the client certificate associated with the specified request (Request: <resource typeGuid=""{493435F7-3B17-4C4C-B07F-C23E7AB7781F}"" name=""<siteserver>"">
<key name=""fqdn"" value=""<siteserver>.<yourdomain>.com""/>
<key name=""name.domain"" value=""<siteserver>.<yourdomain>""/>
<key name=""uniqueid"" value=""xxxxxxxxErc9unSydp53fw==""/>
<key name=""uniqueid"" value=""xxxxxxxx/V/dZMpQeAFrng==""/>
<regRequest publicKey=""AAAAAQABu0W2Yv9fdbghf3GIBwaYTscw......h6E7Ahhevw=="" certificateType=""<siteserver>"" resourceGuid=""{2C331CF1-DDC1-402D-9300-196724283D9B}"" fqdn=""<siteserver>.<yourdomain>.com""/>
</resource>
, Exception: System.InvalidOperationException: Cannot issue certificates at this time because there is no registered master certificate with the specified name.
   at Altiris.NS.Security.Cryptography.CertificateManager.IssueCertificate(Guid id, Guid resourceID, Guid parentID, X500DistinguishedName subject, String scope, CertificateUsageFlags certificateUsage, AsymmetricAlgorithm publicKey, String caName, DateTime expiryTime, Boolean storePrivateKey)
   at Altiris.NS.Security.Cryptography.CertificateManager.IssueCertificate(Guid id, Guid resourceID, Guid parentID, X500DistinguishedName subject, String scope, CertificateUsageFlags certificateUsage, AsymmetricAlgorithm publicKey, String caName, TimeSpan issuingPeriod, Boolean storePrivateKey)
   at Altiris.NS.Security.Cryptography.CertificateManager.IssueCertificate(Guid id, Guid resourceID, Guid parentID, X500DistinguishedName subject, String scope, CertificateUsageFlags certificateUsage, AsymmetricAlgorithm publicKey, String caName)
   at Altiris.NS.Security.Cryptography.AgentCertificateManager.IssueServerCertificate(Guid certID, Guid ResourceID, Guid parentID, String sScope, X500DistinguishedName subject, AsymmetricAlgorithm publicKey)
   at Altiris.NS.AgentManagement.AgentCertificateDistributer.DistributePermanentCertificateByTemporary(CertificateRequestData& requestData)
   at Altiris.NS.AgentManagement.NegotiateCertificateRequest.GetClientCertificate(CertificateRequestData& requestData)
   at Altiris.NS.AgentManagement.NegotiateCertificateRequest.Process(String requestXml, Guid certID, Boolean bEncryptResponse, Boolean bAdminCall, Byte[]& encryptedData))

ITMS 7.x, 8.x

The SMP master CA were deleted from the "Trusted CA store" on the Notification Server.

The Notification Server Certificate Authority certificate is a self-signed certificate that is generated during the installation of the Symantec Management Platform. This certificate is stored in trusted Root on the Notification Server and is used for child certificate signing. 

The following certificates are signed by the Notification Server Certificate Authority certificate:

• Site server certificate
• Internet gateway agent certificate
• Client certificate
• Temporary certificates of Cloud-enabled agent offline installation package

Warning: Do not edit, replace, or delete the Notification Server Certificate Authority certificate. If this certificate is modified, the CEM stops functioning properly . A public copy of this certificate is also propagated to site servers, the Internet Gateway , CEM client computers, and to the CEM agent offline installation package.

Restore the deleted certificates back to "Trusted CA store" as these certificates are used internally by Notification Server for endpoint enrollment and are not related to any SSL connection initialization between the Notification Server and endpoints.

These certificates are created only once during the first installation of the Notification Server, and if you have no back up of the deleted certificate then the attached scripted code will recreate them:

1. Run "c:\Program Files\Altiris\Notification Server\Bin>NScript.exe GenerateSMPmasterCA.cs"
   - Two pfx certificates will be generated on same path where this command run.
   - IMPORTANT: Make note of the 2 "thumbprint values"
2. Open the certificate store:
   - Run, type <mmc> and press return
   - File, Add/remove Snap-in
   - Choose Certificates, on the pop-up window choose "Computer account", then click OK
3. - Expand "Trusted Root Certification Authority", right click "Certificates" folder, and choose <All tasks, import>
4. Change file type to "Personal Information Exchange (*.pfx;*.p12)"
5. Browse to the created certificate and continue the import process by following on screen instructions.
6. Repeat steps 3 to 5 for the second created certificate.
7. Modify Registry keys below with the thumbprint values you noted in step 1:
   HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\eXpress\Notification Server\CA\Agent\Thumbprint
   HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\eXpress\Notification Server\CA\Server\Thumbprint NB (backup in advance is  recommended)
   • Warning: Do not copy thumbprint from certificate properties of MMC>Certificate. This may introduce unicode characters that look identical, but the thumbprint will not match and the certificate will not be found. Either copy the thumbprint from the output of step 1 or manually type the thumbprint into the registry.
8. IIS and Altiris serivices might require restarting if the changes do not apply immediately.