Hi All,

In our environment we are trying to setup internet based client management point to deploy the patches for internet
based clients. Since there is no CA server customer requested to go with third party CA. As per that 3rd party generated certificate and share the CSR file to us. 

Now, We have the site server ready and site roles installed but the 3rd party certificates not working and SCCM internet MP is unable to respond to requests at port 443 and give the error like below. We are facing the challange to implement this solution using 3rd party certificate. Can some one please help me on this. 

Regards,

Madhan

43 and give the error like below. 

Well you should read the blog posted bellow because you need more than just 1 certificate on the MP the clients need to have certificates as well.

Also the error you are getting is that the certificate is probably of the wrong type in the blog bellow you will see what kind you need.

http://blogs.technet.com/b/jchalfant/archive/2015/04/15/prerequisites-for-ibcm-in-configuration-manager.aspx

• Edited by Frederick Dicaire 14 hours 40 minutes ago
• Proposed as answer by Jason SandysMVP 13 hours 44 minutes ago

Frederick is correct, implementing IBCM requires much more than just a single SSL server auth cert. Each and every client also requires its own, unique client auth cert. Also, the client auth certs must meet specific requirements. These are all documented at https://technet.microsoft.com/en-us/library/gg699362.aspx

Thanks Frederick, Since we are relying on 3rd party certificate do we need to create 3 CSR to request certificate vendor for below certificates and do we need to ask them for any specific configuration for each certificates. 

Web server certificate, 

Client certificate for Client Computers 

Client certificate for distribution points

Regards,
Madhan

Well for the MP you only need 2 kind but the other not sure you understood what we meant.

EVERY SINGLE CLIENT will need a valid client certificate.

Each CSR for each computer in the filed will be different and will need the name of that client.

So you will need to install and keep up to date plus the cost of those cert on all client....

• Edited by Frederick Dicaire 12 hours 24 minutes ago

Please read the link I posted above about cert requirements -- it will tell you exactly what you need.

And to reiterate what Frederick said above which is also what I said in my first post, you will need a unique CSR from each and every client to create a unique client auth cert for each and every client. Thus, if you are managing 1,000 systems over the Internet, you will need 1,000 CSRs and the 1,000 unique certs created from them. Good luck getting this funded *every* year and you'll need even more luck deploying and updating all of the certs on the clients.

Well you should read the blog posted bellow because you need more than just 1 certificate on the MP the clients need to have certificates as well.

Also the error you are getting is that the certificate is probably of the wrong type in the blog bellow you will see what kind you need.

http://blogs.technet.com/b/jchalfant/archive/2015/04/15/prerequisites-for-ibcm-in-configuration-manager.aspx

• Edited by Frederick Dicaire Wednesday, September 02, 2015 5:09 PM
• Proposed as answer by Jason SandysMVP Wednesday, September 02, 2015 6:05 PM

Well for the MP you only need 2 kind but the other not sure you understood what we meant.

EVERY SINGLE CLIENT will need a valid client certificate.

Each CSR for each computer in the filed will be different and will need the name of that client.

So you will need to install and keep up to date plus the cost of those cert on all client....

• Edited by Frederick Dicaire Wednesday, September 02, 2015 7:25 PM
• Marked as answer by madhanagoapl 17 hours 37 minutes ago

Thanks Jason. Now I understand. Since there is no Microsoft CA available is there other possible way to implement this. 

Regards,
Madhan

• Marked as answer by madhanagoapl 17 hours 37 minutes ago

Well like we said you don't need a Microsoft CA to make this work. You just need to respect everything SCCM require to make this work.

It's just that it's so much CHEAPER and EASIER with a Microsoft CA.

If it's possible you could rely on VPN to make this work. once the computer would be connect to the VPN would be like they are on premise.

Direct Access is great as well but require certificate as well.

• Edited by Frederick Dicaire 20 hours 35 minutes ago
• Marked as answer by madhanagoapl 17 hours 37 minutes ago