locked
Certificate Requirement - sccm 2012 RRS feed

  • Question

  • Dear All,

    I would require your advice on Certificate requirements for Intranet HTTPS data communication.

    My environment information:  Standalone primary server (Side code: PRI) with two site systems (holding MP, DP and SUP role)

    will use for Software deployment, Patch Deployment and Task sequence (only for Package sequence deployment)

    Client requirement:  Client want to enable one site system for https communication (Intranet data communication) for DMZ client support (all DMZ clients are hosted in the same datacenter)

    As per MS document reference, it require three certificate,

    1.  Site systems that run Internet Information Services (IIS) and that are configured for HTTPS client connections:

    • Management point

    • Distribution point

    • Software update point

    2. Site systems that have a distribution point installed

    3. Windows client computers

    My doubt is, the site system holds DP role as well, still I need Site systems that have a distribution point installed certificate ?

    or do I missing anything apart of certificate requirement.

    Regards,

    Kannan.CS


    Regards, kanna

    Wednesday, September 16, 2015 3:04 PM

Answers

  • Only if they will be client as well.

    Client Certificate for Windows workstations: this certificate is use by the SCCM client to talk to the service. So if the DP doesn't have the SCCM client it will not require it.


    • Edited by Frederick Dicaire Wednesday, September 16, 2015 4:15 PM
    • Marked as answer by Kannan CS Thursday, September 17, 2015 9:54 AM
    Wednesday, September 16, 2015 4:15 PM
  • MPs do require a client auth cert though in addition to the server auth cert.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by Kannan CS Thursday, September 17, 2015 9:54 AM
    Wednesday, September 16, 2015 6:01 PM

All replies

  • The roles don't really use the certificates on the server side. The server auth certs are actually used by IIS thus a single site system hosting multiple roles only requires a single cert because as mentioned, its really the IIS web site that the roles use that makes use of the cert.

    Does that answer your question as its not clear what your question really is?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, September 16, 2015 3:42 PM
  • if you are asking does a DP require a certificate. The answer is yes it does. The client will need to authenticate and the DP will need to validate the client certificate.

    If you are asking if a site server having multiple role require multiple cert. You can use a single cert for multiple role.

    Good starting tutorial about using HTTPS

    http://blogs.technet.com/b/configmgrdogs/archive/2015/01/22/configmgr-2012-r2-certificate-requirements-and-https-configuration.aspx


    Wednesday, September 16, 2015 3:44 PM
  • Hi Jason,

    Thanks for reply.

    To enable intranet HTTPS (SSL) communications between site system(MP,DP,SUP) and clients, do I need two certificates,

    1. Web server certificate for IIS

    2. Client Certificate for Windows workstations

    or do I need extra one more certificate (Workstation Authentication ) for Distribution points


    Regards, kanna

    • Marked as answer by Kannan CS Thursday, September 17, 2015 9:54 AM
    • Unmarked as answer by Kannan CS Thursday, September 17, 2015 9:54 AM
    Wednesday, September 16, 2015 4:11 PM
  • Only if they will be client as well.

    Client Certificate for Windows workstations: this certificate is use by the SCCM client to talk to the service. So if the DP doesn't have the SCCM client it will not require it.


    • Edited by Frederick Dicaire Wednesday, September 16, 2015 4:15 PM
    • Marked as answer by Kannan CS Thursday, September 17, 2015 9:54 AM
    Wednesday, September 16, 2015 4:15 PM
  • MPs do require a client auth cert though in addition to the server auth cert.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by Kannan CS Thursday, September 17, 2015 9:54 AM
    Wednesday, September 16, 2015 6:01 PM