I had set my SCCM 2007 R2 environment (using native mode) up for automatic client push but noticed that none of my clients have the SCCM agent installed after a few days. The log contained at c:\windows\ccmsetup\ccmsetup.log on the client showed that the installation was failing and the error messages included:
WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID is set
Failed to send HTTP request. (Error at WinHttpSendRequest: 12175)
This indicates that the computer name that the client is using to contact the management point doesn’t match the FQDN in the Web Server certificate Subject, which is installed on the server and configured in IIS.
The solution was to request (from the enterprise certificate authority) and assign a new certificate in IIS. Using IIS 7.5, open the IIS manager console, click on the server name, double-click Server Certificates and then Create Domain Certificate. Fill in the details and select your enterprise EA server. It is important here to use the FQDN of the server in the Common Name section. Once complete, head to the Default Web Site, edit Bindings and click on edit for https, then select your newly issued certificate. You don’t need to restart IIS. Initiate a new client install – it should be successful this time.