locked
Intranet https client communication certificate requirement RRS feed

  • Question

  • Dear All,

    I need your suggestion and feedback on SCCM client management using https (Intranet).

    My client want to use https(443) intranet client’s communication instead of http(80)

    Site system has MP, DP, SUP roles to manage two untrusted domain  clients and few workgroup clients.

    As per MS, there are three certificates needed to manage https environment.

    1.        Web server certificate
    2.        DP certificate
    3.        Client certificate.

    For trusted domain, I will use auto enrollment of client certificate using group policy to deploy the certificates.

    Here is my questions,

    For Untrusted domain/work group client communication, do I need create individual certificate based on the hostname and deploy manually on the clients

    Or

    Do we have any other alternate method for certificate deployment?

    Regards,

    Kannan



    cheers, kannan.cs

    Tuesday, April 21, 2015 2:08 PM

Answers

  • For Untrusted domain/work group client communication, do I need create individual certificate based on the hostname and deploy manually on the clients


    Yes

    Torsten Meringer | http://www.mssccmfaq.de

    Tuesday, April 21, 2015 3:38 PM

All replies

  • For Untrusted domain/work group client communication, do I need create individual certificate based on the hostname and deploy manually on the clients


    Yes

    Torsten Meringer | http://www.mssccmfaq.de

    Tuesday, April 21, 2015 3:38 PM
  • There are ways of scripting the installation and/or using web policy or web page enrollment but that doesn't the requirements and will still almost always lead to some manual intervention. That's the whole of AD -- centralized identity and authentication and choosing not to join these systems to AD (for whatever reason) means you have chosen not to have have this centralized identity which means it will require some manual intervention (unless you have another management system in place already).

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Tuesday, April 21, 2015 6:02 PM
  • To add-on, you could look in to using a PowerShell script to save you some manual actions, but every client needs a certificate. For a PowerShell example see: https://jasonhjones.wordpress.com/2014/10/28/powershell-and-certificate-requests/

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Tuesday, April 21, 2015 6:06 PM
  • Hi Torsten,

    Thanks a lo for your answer.

    I have one more question,

    I can export the client certificate from trusted domain and then can I deploy the client certificate (based on host name) using GPO in untrusted domain clients , will it work?

    Regards,

    Kannan 


    cheers, kannan.cs

    Tuesday, April 21, 2015 6:06 PM
  • Yes, this is possible, but would involve more work than one of the other methods mentioned. Also keep in mind that it isn't "the client certificate", each client must have its own unique client auth cert.

    Honestly, this is a very PKI specific issue and you should get a PKI smart person involved ASAP.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Tuesday, April 21, 2015 6:08 PM
  • Thanks for all your answer.

    Kannan

    Wednesday, April 22, 2015 7:15 AM
  • I dont manage our PKI infrastructure but take a look at this

    http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx

    We do use this kind of soloution to provide Certificates to our non domain joined systems. 


    Wednesday, April 22, 2015 10:39 AM