locked
Internet Management Point--Wildcard Cert RRS feed

  • Question

  • I am working in an infrastructure in which the client is using a 3rd party wildcard certificate for the Internet-based Management Point. I cannot find any information concerning support for this configuration.  Of course, everything I am finding from MS documents explains how to issue a cert for all SCCM site systems via an internal CA.  Can you tell me if the wildcard cert is supported?  Issues or concerns?

    Thanks in advance.


    • Edited by AMRDC Thursday, January 12, 2017 1:01 AM
    Thursday, January 12, 2017 1:00 AM

Answers

  • Thank you so much for your help. 
    • Marked as answer by AMRDC Thursday, January 12, 2017 10:08 PM
    Thursday, January 12, 2017 10:08 PM

All replies

  • Yes it will work; however, how do you plan on issuing unique client auth certs to all of the clients if not by an internal PKI?

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Thursday, January 12, 2017 1:25 AM
  • Hi Jason,

    Thanks for the quick reply.  They currently have an internal enterprise PKI solution.  All the clients are issued a client auth cert.  All clients are members of the domain in which the CA resides but they opted for a 3rd party wildcard cert for the Internet MP.  Any issues with that configuration?  When 'Internet' clients, they would use the wildcard cert?  Does the Internet client in this scenario still have to have access to the internal CRL?  I appreciate the help.  I am trying to get my head wrapped around the certs, Internet clients and CRL access. 

    Thursday, January 12, 2017 1:48 AM
  • It should be able to work, however as stated, not recommended. Publish a CRL that can be accessed over HTTP with an Internet FQDN


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by Frank Dong Thursday, January 12, 2017 12:15 PM
    Thursday, January 12, 2017 12:12 PM
  • A cert is a cert is a cert. ConfigMgr doesn't care or have any way to tell the difference as long as it meets the requirements listed on TechNet and is trusted.

    First, you can always disable client side CRL checking in ConfigMgr -- not necessarily recommended but in this case, use of the certs is a means to and end that's makes this acceptable in most cases (although that's ultimately for you to determine and not me).

    Next, I'm pretty sure that the client agents still validate their own certs using the CRL as well so simply using a cert from a public CA for the MP doesn't address the CRL accessibility issue anyway.

    Thus, if your internal PKI's CRL is not currently Internet accessible (and you have no plans on making it Internet accessible) then your only real option is to disable client CRL checking regardless of the source of the MP's cert or the ability to reach the CRL for that same cert.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by AMRDC Thursday, January 12, 2017 10:06 PM
    • Unmarked as answer by AMRDC Thursday, January 12, 2017 10:07 PM
    • Proposed as answer by Garth JonesMVP Thursday, January 12, 2017 11:01 PM
    Thursday, January 12, 2017 4:49 PM
  • Thank you so much for your help. 
    • Marked as answer by AMRDC Thursday, January 12, 2017 10:08 PM
    Thursday, January 12, 2017 10:08 PM