Cloud Enabled Management Agents cannot Update Configuration or receive tasks after changing the certificate of the Internet Gateway.

In the Sym Agent logs the following error is seen:

Operation 'CEM: Connect' failed. 
Protocol: HTTPS 
Original host: NS SERVER:443
Real host: GateWay:443
Path: / 
Connection id: 21.9564 
Communication profile id: {3D7F459F-E0D2-499F-BA54-147F9BF7894F} 
Throttling: 0 0 0 
Error type: TLS Handshake error 
Error code: The certificate chain was issued by an authority that is not trusted (0x80090325) 
Error note: 'Gateway' server's certificate is not valid, thumbprint mismatch 
Gateway HTTPS connection info: 
   Server certificate: 
      Serial number: xx 4c 07 76 00 00 xx xx
      Thumbprint: xx xx xx 74 df d0 ce b5 95 b2 b7 c0 87 17 68 43 xx xxxx xx 
   Cryptographic protocol: TLS 1.2 
   Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 
   Cipher algorithm: AES 
   Cipher key length: 256 
   Hash algorithm:  
   Hash length: 0 
   Key exchange algorithm: ECDH 
   Key length: 256

Other error on the agent:

The certificate chain was issued by an authority that is not trusted (0x80090325)

ITMS 8.x

The new certificate installed on the Gateway is not self-signed. When checking this certificate it was found that the private key is not imported to the Gateway.

On the Gateway manager > General tab click on certificate and make sure Private key is imported:

If private key doesn't exist, reimport the certificate and make sure Private Key is also imported.

Install the certificate on the trusted root of the Local Computer.

Configuring the Cloud-Enabled Management Agent IIS Website Settings