Intranet https client communication certificate requirement

Dear All,

I need your suggestion and feedback on SCCM client management using https (Intranet).

My client want to use https(443) intranet clients communication instead of http(80)

Site system has MP, DP, SUP roles to manage two untrusted domain  clients and few workgroup clients.

As per MS, there are three certificates needed to manage https environment.

  1.        Web server certificate
  2.        DP certificate
  3.        Client certificate.

For trusted domain, I will use auto enrollment of client certificate using group policy to deploy the certificates.

Here is my questions,

For Untrusted domain/work group client communication, do I need create individual certificate based on the hostname and deploy manually on the clients

Or

Do we have any other alternate method for certificate deployment?

Regards,

Kannan


April 21st, 2015 10:08am

For Untrusted domain/work group client communication, do I need create individual certificate based on the hostname and deploy manually on the clients


Yes
Free Windows Admin Tool Kit Click here and download it now
April 21st, 2015 11:38am

There are ways of scripting the installation and/or using web policy or web page enrollment but that doesn't the requirements and will still almost always lead to some manual intervention. That's the whole of AD -- centralized identity and authentication and choosing not to join these systems to AD (for whatever reason) means you have chosen not to have have this centralized identity which means it will require some manual intervention (unless you have another management system in place already).
April 21st, 2015 2:03pm

To add-on, you could look in to using a PowerShell script to save you some manual actions, but every client needs a certificate. For a PowerShell example see: https://jasonhjones.wordpress.com/2014/10/28/powershell-and-certificate-requests/
Free Windows Admin Tool Kit Click here and download it now
April 21st, 2015 2:07pm

Hi Torsten,

Thanks a lo for your answer.

I have one more question,

I can export the client certificate from trusted domain and then can I deploy the client certificate (based on host name) using GPO in untrusted domain clients , will it work?

Regards,

Kannan 

April 21st, 2015 2:07pm

Yes, this is possible, but would involve more work than one of the other methods mentioned. Also keep in mind that it isn't "the client certificate", each client must have its own unique client auth cert.

Honestly, this is a very PKI specific issue and you should get a PKI smart person involved ASAP.

Free Windows Admin Tool Kit Click here and download it now
April 21st, 2015 2:09pm

Thanks for all your answer.

Kannan

April 22nd, 2015 3:16am

I dont manage our PKI infrastructure but take a look at this

http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx

We do use this kind of soloution to provide Certificates to our non domain joined systems. 


Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2015 6:40am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics