After replacing master certificate (SMP*** Agent CA) clients no longer able to register and SMP log filled with errors:

Unable to get the client certificate associated with the specified request 

...

Object reference not set to an instance of an object.
   [NullReferenceException @ Altiris.NS.StandardItems.dll]
   at Altiris.NS.StandardItems.CertificateConfiguration.CEMDigitalCertificateDistributer.LookupMasterCertificateChain()
   at Altiris.NS.AgentManagement.NegotiateCertificateRequest.GetMasterCertificates(ref string)
   at Altiris.NS.AgentManagement.NegotiateCertificateRequest.GenerateLegacyResponse(string, CertificateRequestData, Guid, bool, out X509Certificate2, out X509Certificate2)
   at Altiris.NS.AgentManagement.NegotiateCertificateRequest.Process(string, Guid, bool, bool, out byte[], out Dictionary<string,X509Certificate2>, ICertificateDistributor)

Itms 8.7 and later

Thumbprint specified under [HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\eXpress\Notification Server\CA\Agent] is wrong

Ensure thumbprint matches thumbprint of the certificate.

If thumbprint looks valid in RegEdit, still copy it into Notepad++ or some other text editor to verify hex of the string.

It is possible some special ASCII characters within the string causing the problem.

Replace with proper string containing thumbprint characters only.