Last month we had the pleasure of having the Key-Management SSL Certificate expire on the server running the Citrix Password Manager software (=CPM from now on) . This resulted in the following error for certain users during login:
The Password Manager Service Key Management Module could not be contacted.
Or
The Password Manager Service Key Management Module could not locate your keys. Contact your administrator. Password Manager agent will now shutdown.  You can trigger this issue by changing the password for a user and then performing a logoff-logon…cool..now what..?

When trying to start the Service Configuration tool on the CPM server we were greeted with the following kind message before the tool exited:

The XTE Server log was giving some insight into why certain users were getting this error:
[warn] Clients will be unable to connect to this secure server because the certificate with identifier 633499B93637455657543 for server.domain.local:443 is outside of its valid date range.
So I checked the certificate on the IIS server and indeed..it had expired!
These are the steps you should follow that should fix this issue.
Our certificate was generated using an internal CA so:
1 ) Go the website properties on the CPM Server and select “Server Certificate”
2 ) Select Renew the current certificate
3 ) Save the request and then browse to your local CA. usually: http://servername/certsrv
4 ) click on “request a certificate” and select “advanced certificate request”
5 ) Select the second option and open the file you created at the end of step 2. copy paste the content of the file in the “saved request” field
6 ) As template select “Web Server” and click on “Submit”
7 ) Save the certificate and go back to the IIS server to complete the certificate renewal.
8 ) NOW FOR THE TRICKY PART!
After these steps the Service configuration tool was able to start again without the error I got earlier but apparently the CPM Service doesn’t “get” the fact that you renewed the certificate and will still not work properly. I tried restarting the service and rebooting the server, which didn’t help.
Then my colleague by accident clicked on “OK” (instead of cancel) in the Service Configuration tool which caused the configuration to be rewritten and suddenly the errors were gone!
Here are some links which may also help you with troubleshooting CPM:
Troubleshooting the CPM Service
Automatic key recovery
If this post helped you out, help me out keeping this site alive and visit some of my sponsors on the left or right.. Thanks..!
TAGS: Citrix, Password Manager Service Key Management Module, Troubleshooting, CPM