This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 74%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Hi, we are currently setting up monitoring for our Entra Private Network Connector farms. We are achieving this with SCOM, but to the point of monitoring the certificates on the machines.
They all alert on chain issues regarding the Connector Client Certificates, which are signed by the connectorregistrationca.msappproxy.net CA, which is not in the trusted issuers store. So when SCOM tries to validate the certificate, it encounters a chain issue. The certificate cannot be validated.
The simplest solution is to download the public part of the CA, and import it in the trusted issuers store. But the thing is, that it seems that the public part is nowhere to be found on the internet.
Is there anyone out there that knows the location of it so we can download it and overcome the certificate monitoring issue? Or any other solution/workaround?
Thank you in advance!
René
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@René Posthumus Thank you for reaching out to us, let me research on this ask and revert back.
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Please don't respond with a copy/paste answer which doesn't help solving the issue. I saw this answer many times. The TrustSettings file only contains a thumbprint, and not the public part of the Issuer certificate.
Hi @Givary-MSFT ,
Thank you for responding, i'm very curious what you come up with :-)
@René Posthumus Thank you for your patience. I discussed this issue with my team, and they recommend excluding that certificate from verification. Since it’s not necessary for you to validate it, we can take care of the validation on our end once it is used.
Thank you for getting back. We do want to verify if the certificate is still valid, but SCOM has to exclude the chain check. Is there any way to do so? And can you tell me what is the reason for not publishing the CA so users can put it in their trust stores to overcome this issue?
@René Posthumus Regarding the SCOM, I would be adding Operations manager tag to the visibility, if in case you don't get a response would recommend creating a another QnA post to get help from SCOM on how to exclude the certificate chain from the monitoring.
As far I am aware the reason behind not publishing the trusted cert, as the purpose of the certificate is client authentication, that means you don't need the check the chain for this on the client side.
Let me know if you have any further questions, feel free to post back.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
Hi @Givary-MSFT , thank you for the clear answer. We will move forward on the exclusion track in SCOM. Have a nice day!