SCCM 2012 Internet Based Client Management Point using 3rd party certificate.
Hi All,
In our environment we are trying to setup internet based client management point to deploy the patches for internet
based clients. Since there is no CA server customer requested to go with third party CA. As per that 3rd party generated certificate and share the CSR file to us.
Now, We have the site server ready and site roles installed but the 3rd party certificates not working and SCCM internet MP is unable to respond to requests at port 443 and give the error like below. We are facing the challange to implement this solution
using 3rd party certificate. Can some one please help me on this.
Regards,
Madhan
43 and give the error like below.
September 2nd, 2015 1:04pm
Well you should read the blog posted bellow because you need more than just 1 certificate on the MP the clients need to have certificates as well.
Also the error you are getting is that the certificate is probably of the wrong type in the blog bellow you will see what kind you need.
http://blogs.technet.com/b/jchalfant/archive/2015/04/15/prerequisites-for-ibcm-in-configuration-manager.aspx
-
Edited by
Frederick Dicaire
14 hours 40 minutes ago
-
Proposed as answer by
Jason SandysMVP
13 hours 44 minutes ago
September 2nd, 2015 1:10pm
Frederick is correct, implementing IBCM requires much more than just a single SSL server auth cert. Each and every client also requires its own, unique client auth cert. Also, the client auth certs must meet specific requirements. These are all documented
at https://technet.microsoft.com/en-us/library/gg699362.aspx
September 2nd, 2015 2:10pm
Thanks Frederick, Since we are relying on 3rd party certificate do we need to create 3 CSR to request certificate vendor for below certificates and do we need to ask them for any specific configuration for each certificates.
Web server certificate,
Client certificate for Client Computers
Client certificate for distribution points
Regards,
Madhan
September 2nd, 2015 3:25pm
Well for the MP you only need 2 kind but the other not sure you understood what we meant.
EVERY SINGLE CLIENT will need a valid client certificate.
Each CSR for each computer in the filed will be different and will need the name of that client.
So you will need to install and keep up to date plus the cost of those cert on all client....
-
Edited by
Frederick Dicaire
12 hours 24 minutes ago
September 2nd, 2015 3:27pm
Please read the link I posted above about cert requirements -- it will tell you exactly what you need.
And to reiterate what Frederick said above which is also what I said in my first post, you will need a unique CSR from each and every client to create a unique client auth cert for each and every client. Thus, if you are managing 1,000 systems over the Internet,
you will need 1,000 CSRs and the 1,000 unique certs created from them. Good luck getting this funded *every* year and you'll need even more luck deploying and updating all of the certs on the clients.
September 2nd, 2015 3:43pm
Well you should read the blog posted bellow because you need more than just 1 certificate on the MP the clients need to have certificates as well.
Also the error you are getting is that the certificate is probably of the wrong type in the blog bellow you will see what kind you need.
http://blogs.technet.com/b/jchalfant/archive/2015/04/15/prerequisites-for-ibcm-in-configuration-manager.aspx
-
Edited by
Frederick Dicaire
Wednesday, September 02, 2015 5:09 PM
-
Proposed as answer by
Jason SandysMVP
Wednesday, September 02, 2015 6:05 PM
September 2nd, 2015 5:07pm
Well for the MP you only need 2 kind but the other not sure you understood what we meant.
EVERY SINGLE CLIENT will need a valid client certificate.
Each CSR for each computer in the filed will be different and will need the name of that client.
So you will need to install and keep up to date plus the cost of those cert on all client....
-
Edited by
Frederick Dicaire
Wednesday, September 02, 2015 7:25 PM
-
Marked as answer by
madhanagoapl
17 hours 37 minutes ago
September 2nd, 2015 7:25pm
Thanks Jason. Now I understand. Since there is no Microsoft CA available is there other possible way to implement this.
Regards,
Madhan
-
Marked as answer by
madhanagoapl
17 hours 37 minutes ago
September 3rd, 2015 6:03am
Well like we said you don't need a Microsoft CA to make this work. You just need to respect everything SCCM require to make this work.
It's just that it's so much CHEAPER and EASIER with a Microsoft CA.
If it's possible you could rely on VPN to make this work. once the computer would be connect to the VPN would be like they are on premise.
Direct Access is great as well but require certificate as well.
-
Edited by
Frederick Dicaire
20 hours 35 minutes ago
-
Marked as answer by
madhanagoapl
17 hours 37 minutes ago
September 3rd, 2015 7:14am