SCCM (MCM): 0x87d00231 in ccmmessaging.log on connection to CMG

I installed CMG for one of my Customers. The Clients use internal PKI certs and CMG uses a public wildcard cert.

When I put one of the Clients on the Internet and tried to get an app installed, the attempt failed, as well, the Client went grey in SCCM console.

I checked the Client settings and found it knows about CMG, but cannot connect to it. in ccmMessaging.log I saw:

I ran CMG Connection analyzer

1. With AAD credentials it was all green

2. I generated a client certificate and tried authenticate with it. This time Analyzer gave me a message saying CMG does not trust my cert. That was interesting, because I provided the certificate chain root cert for internal PKI during CMG configuration and I disabled revocation list check (since PKI was not configured as per best practice and did not have CRL properly published publicly).

So I tried removing the root certificate, resync configuration to CMG, add the certificate back and resync again. That did not help.

Resolution: with the root certificate added to the configuration I stopped CMG and start it back (it initiates re-deployment).  After that the messages were delivered successfully, the client went green in SCCM console and the app has been download and installed successfully: