Certificate chains are installed for SSL communication to the Root Certificate Authority. If you will be doing a certificate change for the Symantec Management Platform (SMP or NS) Server and Site Servers, this article will provide you information on why this happens and that it cannot be changed.

ITMS 8.x

The following information is provided for reference and it is not intended to be a detailed technical document on how things works with certificate procedures.

Our certificate distribution system is a work in progress and an overview is:

• the server looks for certificates assigned to the SMP server websites and collects all intermediate and root certificates associated with all web certificates
• the server puts those certificate chains into the connection profiles
• the client gets certificate chains from the connection profiles and installs them as below
  • self-signed, i.e. root certificates go into the Trusted Root store
  • all intermediate certificates go into the Intermediate Certificate Store

If you have a newer version of the Symantec Management Agent (SMA), those friendly names like "SMA: NS: Web Site certificate" are no longer being added by the SMA, so it's hard to tell if a particular certificate in the chain is an intermediate certificate or not. It is intermediate in the sense that it is signed by a root certificate and some other certificate is signed by it, but theoretically, nobody prevents the user from assigning an intermediate certificate to a website provided that the certificate got the appropriate usages set.

You need to check the actual certificates. The names "SMA: NS: Web Site certificate" were given to the certificates that could be used to authenticate HTTPS connection to the SMP server, so they are not really "Web Site" certificates, as the SMA does not install the actual Web Site certificate, it only installs intermediate and root certificates. The website certificate comes during HTTPS connection establishment and gets validated on the client machine against the root and intermediate certificates. 

So given the above:

1. If you do not want some root or intermediate certificate to get installed by the SMA, then you should remove it from the Agent / Site Server communication profiles.
2. If a certificate is used on many site servers, then you should inspect all of the connection profiles and remove the certificates from them all.
3. Unfortunately, there is no certificate removal functionality in the SMA itself, so you may need to use some sort of script to clean up these certificates from the agents if needed. The SMA also cannot install the certificates once they are not in the Site Server Communication Profiles and they also will not remove those that have been removed from these profiles.  If this has been done incorrectly then there is a possiblity that the SMA will loose connection to the servers.

And about this assumption:

"Our management has stated the SMP server certificates do not belong in the Intermediate Certification Authorities since they are not Certificate Authorities."

An intermediate certificate is not necessarily a certificate authority, it is just an intermediate certificate, i.e. a certificate used to sign some other end certificate and that is signed itself by another root or intermediate certificate.

In any case, we would suggest to check all the certificates chains in the system, i.e.:

• web sites should be assigned the end certificates
• These end certificates are not in any connection profiles
• the intermediate and root certificates used to sign web certificates are in onnection profiles unless they are not needed there because GPO installs them

Also, SMA has got certificate backup/restore functionality - SMA checks if all backed up certificates are in the proper stores during each startup and then periodically, that's to eliminate "dead SMA scenario" when a missing certificate prevents SMP Server connection.

You can see all the installed/restored/backed up certificates in the log, you will see their thumbprints.

To remove a certificate backup, the SMATool.exe can be used:

A.  stop the SMA service

Find the smatool.exe on your SMP Server in ...\Program Files\Altiris\Notification Server\Bin\Tools and run the following commands from the endpoint machine as needed.

B. smatool /storage enum AgentCore\CertificateBackup - can be used to see which certificates are backed up - you will see the thumbprints

C. smatool /storage delete AgentCore\CertificateBackup - can be used to remove all the backed up certificates or some of them if you specify the exact path

The enumeration command will list every certificate as:

AgentCore\CertificateBackup\2\22cda26b89c13d9c017776c75868b33f97f1df17

The last component of the path is the thumbprint.  

\2\ is the store ID where the certificate should be located:

0 - SMA Service Personal store, CEM certs go there

1- Machine store

2- Root store

3. - Client Auth Issuers store

4 - Intermediate store

D. start SMA service, it will not attempt to restore the removed certificates

Just want to mention once again: the certificate chain consists of root certificate, intermediate certificate(s), and SSL certificate. We install root to root certificate authorities, all intermediate certificates to intermediate certificate authorities - this is Microsoft's best practice.
SMA does nothing if certificates are preinstalled.

Questions and Answers:

1. Will prevent WORKGROUP systems without the intermediate certificates from communicating with Altiris?

Answer: It does not matter if the machine is in a workgroup or a domain, certificate usage, and HTTPS connections do not depend on that. 

2. Is there a problem with the SMA on a client computer if there is not an intermediate certificate?

Answer: Regarding "systems without the intermediate certificate", If the website is assigned a certificate that has 4 certificates in its chain (1 root + 2 intermediate + 1 web) then 1 root and 2 intermediate certificates must be available on the client, otherwise the certificate chain validation will fail.

i.e. they can remove any expired or not used in any chain certificate but every certificate from a valid chain should remain.

3. When the change on "friendly names like "SMA: NS: Web Site certificate" are not being added anymore by SMA was done? 

Answer: These changes were made in 8.5 RU4, see Release Notes.

NOTE: In 8.5 RU3 and earlier, Symantec Management Agent sets friendly names for certificates. Starting from 8.5 RU4, the following changes are introduced:

• After installation, the agent does not set friendly names for certificates.
• After the upgrade, the agent removes the friendly names that it has previously set.