Symantec Management Agent (SMA) logs several messages as seen here:
Package server could not access own Web Site using HTTPS
NOTE: As far as functionality goes, the packages are accessible in the Package Server itself as well when requested by the client machines. For example the following URL returned the expected resources and showing the packages are available via HTTPS request:
https:///Altiris/PS/Share/pkggroup_%7B562664ad-792e-4b54-bce4-50a35096d58c%7D/%7B6D417916-467C-46A7-A870-6D86D9345B61%7D/cache
ITMS 8.x
Windows 2012 site servers
IIS is trying to validate the root certificates and unable to find these in the certificate store.
In short, starting with Windows 2012, while attempting the certificate chain validation of non self-signed certificates, IIS now searches in the "Client Authentication Issuers" store.
Changes to address this were first included in ITMS 8.0 HF5 and later to handle this situation, the Microsoft changes done in Windows Server 2012 and Windows 8.
The official suggestion from Microsoft is to remove all non self-signed certificates from Trusted Root, described here:
IIS may reject client certificate requests with HTTP 403.7 or 403.16 errors
The changes in SSL are described by Microsoft here:
What's New in TLS/SSL (Schannel SSP)
Copy all the issuer certificates from your certificate chain to the "Client Authentication Issuers" store for Local Computer.
When IIS bindings are already created, the system SSL records need to be modified to point to the correct store. Since the commandline tool does not support editing, you'll need to recreate the system binding as described here:
Get information about existing binding (This command will dump existing bindings information. Find the port that represents desired binding):
netsh http show sslcert
NOTE: Save the port, application ID, and certificate thumbprint information somewhere (it will be required at step 3).
netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443
certhash=0b2261ebcbda378c69251942651c46e7cc73674a
appid={4dc3e181-e14b-4a21-b022-59fc669b0914} sslctlstorename=ClientAuthIssuer
Important note! The "ipport", "appid" and "certhash" must be set to values obtained at step 1. If you are re-using the same certificate, the certhash will be the same. If you are replacing the certificate, please import the new certificate, then copy the certhash and use that when you are rebinding the certificate at the command line. The appid will be the same one that you gathered earlier.
NOTE: No restarts are needed.