none
Enhanced HTTP Certificate Renewal??? RRS feed

  • Question

  • Can anyone advise on, or has had experience in renewing the Certificates created when Enhanced HTTP is setup in the console. They are available in the console and only the SMS Issuing Certificate seems to have a 'Renewal' option. I have 6 Site Systems whose 1 year certificate runs out in 6 weeks and I want to extend them before its too late.

    Also any log file that can track the progress of this?

    Thank-you in advance.

    Thursday, November 21, 2019 6:23 PM

All replies

  • As a note there is nothing about this on the e-HTTP article: 

    https://docs.microsoft.com/en-us/configmgr/core/plan-design/hierarchy/enhanced-http

    Thursday, November 21, 2019 6:23 PM
  • ConfigMgr should renew them automatically to my knowledge.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, November 21, 2019 6:48 PM
  • Thanks Jason.

    Is that written down anywhere?

    Reason I ask is I am switching a customer over fully to this from a previous Internally issued SSL Cert for IIS on 443 as they are moving to a CMG and we have hit a conflict issue with the App Approval process and the CMG wanting to use this internal Cert but as it is not signed the clients don't trust it therefore give alerts in the browser when approving apps (whereas they trusted the internal PKI cert on 443 but e-HTTP wants 443 to use its own cert for CMG)

    This bug was validated by MS today on a call so I am having to deploy this cert (SMS Issuing Cert & MP Cert issued from SSM Issuing) to our clients but I am conscious of the expiry so we need to retrospectively re-deploy anything that expires, hence me wanting to do it in advance.

    No way I can do it in advance? Seems like it should be an obvious thing to do :-)

    Thanks

    Thursday, November 21, 2019 6:59 PM
  • So, to clarify, the customer had HTTPS client communication previously configured or the internal cert was just left over from something else? Where did this cert come from? All certs are signed so I'm not sure what this statement means either: "this internal Cert but as it is not signed".

    To answer the question though, no this isn't documented as it's an internal process.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Friday, November 22, 2019 12:29 AM
  • Hi,

    A server authentication certificate is required for the cloud management gateway (CMG).
    There may be other certificates that are also required, depending upon the scenario you use to manage clients on the internet with the cloud management gateway, you need one or more of the following digital certificates:
    CMG server authentication certificate
    CMG trusted root certificate to clients
    Server authentication certificate issued by public provider
    Server authentication certificate issued from enterprise PKI
    Client authentication certificate
    Client trusted root certificate to CMG
    Enable management point for HTTPS
    Azure management certificate

    We can refer to the following article for more details:

    https://docs.microsoft.com/en-us/configmgr/core/clients/manage/cmg/certificates-for-cloud-management-gateway

    Best regards,
    Larry


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 22, 2019 7:54 AM
  • Thank-you for taking the time to reply, but my questions was not asking how to setup a CMG, I have this information to hand already, I merely referenced this in my earlier reply for contect.

    Kind Regards

    Lee

    Friday, November 22, 2019 8:11 AM
  • Jason,

    So the customer had a binding for IIS on 443 as a result of the old Application Catalog in which an internal SSL Cert was created from the PKI Infra for authentication. No other roles except a legacy AMT role communicates overt https, everything is http.

    When Enhanced HTTP is introduced, it updates the binding on 443 for IIS to the internally signed cert that the CM Infrastructure creates which is fine.

    The issue arises when you use the Application Approval workflow as when an authorizer gets a Approve/Deny email and clicks on it, this makes a call to the Admin Service over https and the cert at the other end is not trusted as the SMS Issuing Cert is not recognized as safe by the clients. It throws up a warning in the browser. This is only resolved if the certs are added to the trusted store of the clients.

    I had a call with Microsoft yesterday and one of their CMG SME's who recognized the issues and this was suggested as a workaround to allow both to live from the same MP, however we have the issue of the expiring certs, which leads me back to my questions of how to renew the certificate for the site system?

    You mention this is done automatically? Is this written down anywhere or is there a process to renew them?

    Thanks

    Lee

    Friday, November 22, 2019 8:17 AM
  • Its essentially explained on this page, albeit not enough details outlines the end user ramifications or how best to combat the issue:

    https://docs.microsoft.com/en-us/configmgr/apps/deploy-use/app-approval

    "Note

    When the site creates a certificate for the SMS Provider, it won't be trusted by the web browser on the client. Based on your security settings, when responding to an application request, you may see a security warning."

    Friday, November 22, 2019 8:46 AM
  • You mention this is done automatically? Is this written down anywhere or is there a process to renew them?

    As noted no, this is an internal process not meant to have admin visibility or intervention.

    There is a much better solution here though: move the SMS Provider off of the MP or vice-versa. I would never co-located these roles in the first place.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Friday, November 22, 2019 2:32 PM