locked
SCCM 2012 r2 - client certificates on workgroup computers RRS feed

  • Question

  • hi

    sccm 2012 r2

    3 types of computers:

    - domain member computers on the WAN

    - workgroup computers on the WAN

    - workgroup computers on the INTERNET

    if we want to support workgroup computers on the INTERNET we need certificates as per

    https://technet.microsoft.com/en-us/library/gg712298.aspx

    "Because clients that are managed over the Internet must communicate with Internet-based site systems, ensure that these clients also have public key infrastructure (PKI) certificates installed before you install them. You must install these certificates independently from System Center 2012 Configuration Manager. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager."

    we have one internal CA available to the WAN only.

    Question 1:

    what do we need to do to automatically enroll the workgroup computers on the Internet to get a client certificate and renew when expired ?

    Question 2:

    would we be able to use our internal CA for this or do we need a trusted CA like Entrust for example ?

    Wednesday, August 3, 2016 7:19 PM

Answers

  • 1. There's no easy path here. Basically, there's no such thing as auto-enrollment or auto-renewal of workgroup computers for certificates. You may be able to script some of this, but it won't be straight-forward. You could possibly also use NDES or the Certificate Enrollment Web Service. This is a much bigger question than ConfigMgr though and is better asked on a PKI forum.

    2. Depends. Same answer as above though. Using a public cert authority will get very expensive very quickly though.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, August 3, 2016 9:01 PM
  • 3. No different really. Non-domain and internet connected are two similar complexities. As noted though, you really need to engage a PKI expert here as this really has nothing to do with ConfigMgr.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, August 3, 2016 9:02 PM

All replies

  • and Question 3:

    does it make a difference if I had a domain member (previously added to the domain while on the WAN) but then permanently taken to the internet ? how would that machine automatically enroll and renew its certificate ?

    Wednesday, August 3, 2016 7:21 PM
  • 1. There's no easy path here. Basically, there's no such thing as auto-enrollment or auto-renewal of workgroup computers for certificates. You may be able to script some of this, but it won't be straight-forward. You could possibly also use NDES or the Certificate Enrollment Web Service. This is a much bigger question than ConfigMgr though and is better asked on a PKI forum.

    2. Depends. Same answer as above though. Using a public cert authority will get very expensive very quickly though.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, August 3, 2016 9:01 PM
  • 3. No different really. Non-domain and internet connected are two similar complexities. As noted though, you really need to engage a PKI expert here as this really has nothing to do with ConfigMgr.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, August 3, 2016 9:02 PM