Internet Based Clients with 3rd party certificates

Hi there, i was wondering whether or not using 3rd party certificates such as comodo secure server certificates can be used on internet facing management points?

regards,

Dutch guy

June 22nd, 2015 5:58am

Yes, you can use 3rd party certificates on your Internet-facing site systems. Basically it doesn't matter were the certificate comes from, as long as it's valid and can serve it's purpose.
Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2015 6:08am

At this moment Client Computer Communication \ Site Properties \ Trusted Root Certification Authorities is unconfigured. Because we use a Commodo certificate with a Root and Intermediate certificate in between i'm not sure whether or not i should configure this for Client Computer Communication?

I did selected HTTPS or HTTP and checked Use PKI client certificate (client authentication capability) when available.

June 22nd, 2015 6:54am

That setting is only relevant for PXE over HTTPS. In that case it will select a client certificate that's issued by the configured trusted root certificate authority. See also the information provided here: https://social.technet.microsoft.com/Forums/en-US/122a50d1-dcbb-4ec5-86dc-6db3c9e2de01/trusted-root-certification-authorities-on-site-setting-client-computer-communication-tab?forum=configmanagersecurity
Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2015 7:09am

based on this blog: http://blogs.technet.com/b/configurationmgr/archive/2013/12/11/a-closer-look-at-internet-based-client-management-in-configmgr-2012.aspx

other tech guys would disagree

.....Error code 87d00281 means No certificate matching criteria specified

In order to resolve this, navigate to Client Computer Communication under Site Properties and go to Trusted Root Certification Authorities and click on Set. After doing that, specify the self-signed cert of CA2 without its private key and click on OK......

June 22nd, 2015 7:20am

Note that CA2 in that post refers to the cert of the CA issuing the client certs, not the certs for the site systems as that cert is never actually seen by ConfigMgr.

Have you issued [unique] client auth certs to each ad every client that will be managed via HTTPS?

Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2015 8:21am

The client certificates are unique however they are created by a NOT-Microsoft PKI CA. We found that the certs are version 3, which are probably not compatible with ConfigMgr.

Is version 3 corresponding with the MS PKI cert template "Windows 2008 Server, Enterprise Edition" ?
And is version 2 corresponding with the "Windows 2003 Server, Enterprise Edition" template?

Which cert properties are the difference?

Which settings should be used when using OpenSSL?

June 30th, 2015 8:37am

That is correct, ConfigMgr does not support certs built using V3 templates. Reference https://technet.microsoft.com/en-us/library/gg699362.aspx for all PKI requirements.

Yes to the Microsoft cert template question. It's not just the properties that are different between the templates, but there are other capabilities and even different cryptography standards in use. More info: http://social.technet.microsoft.com/wiki/contents/articles/3072.incompatible-with-windows-server-2008-enterprise-version-3-or-v3-certificate-templates.aspx

Best to post the last question on an OpenSSL forum.

Free Windows Admin Tool Kit Click here and download it now
June 30th, 2015 9:00am

Best to post the last question on an OpenSSL forum.

June 30th, 2015 9:07am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics