If you do a default installation of ConfigMgr 2012 the clients will communicate over HTTP with the Management Point. Also all traffic from the Distribution Point will be over HTTP. And if you use the Application Catalog, well that’s HTTP also.
In this 3 post series I will explain the steps to go from HTTP to HTTPS communication.
The first post (HERE) I explained the Certificates needed, the second (this one) and third one (HERE) will do the actual work of transforming ConfigMgr from HTTP to HTTPS.
What is going to happen in this post:
- Have the Clients talk over HTTPS to the site server (Management Point)
With all the certificates in place let’s see if I can change the Client to communicate over PKI and HTTPS instead of HTTP and a self-signed certificate.
Site Server Communication
Export the Root CA Certificate as a DER encoded binairy X.509 (.CER) Certificate.
In the ConfigMgr console go to Administration – Overview – Site Configuration – Sites and select your Site.
Right-click and select Properties.
Go to the tab Client Computer Communication and change the setting to HTTPS Only. If you still have clients with HTTP then you can select HTTP or HTTPS.
Under Trusted Root Certification Authorities select your Root CA Certificate.
For a client that has already been deployed just wait and the Client Certificate will change to PKI.
And I am communicating over HTTPS with my PKI:
As I can also see in my ClientLocation.log
From the ccmsetup.log is visible that all communication is secure.
Part 1 Here.
Part 3 Here.
Pingback: HTTPS Communication SCCM 2012 SP1 « MS Tech BLOG
Where exactly do I find the Root CA Certificate as a DER encoded binary X.509 (.CER) Certificate? I cant seem to get my MP working.
hi,
in part 1 (found here: https://wibier.me/https-communication-sccm-2012-sp1-part-1/) is the answer:
Enrollment of the Client certificate for Distribution Points
Open a MMC and add the Certificate snapin for Local Computer.
Right-click Certificates and Request New Certificate. Select the Client certificate for Distribution Points you created.
After that Export the certificate WITH the private key.
I have SCCM 2012 MP for primary site for Intranet client only and i want to create separate site system for internet clients only with separate MP. I have setup certificates requirements like client ,DP and Web Server certificates.
Is it possible . Please guide.
yes setup multiple MP’s
Hi Stephan,
Great write up, but I’m a bit confused on something and I’m hoping you can set me straight: in the section above you mention importing the Root CA Certificate as a DER encoded binary X.509 (.CER) Certificate, and that this was exported in the first article. However, in the first article, you have us export the Client certificate for Distribution Points. Aren’t these different certificates? Also, when I do the export in the first article, I’m not able to export it as a DER encoded binary X.509 (.CER) Certificate. I can only export it as a Personal Information Exchange – PKCS #12 (.PFX) certificate. Unless I select to NOT export the private key, then I can do DER encoded binary X.509. What gives? Please help. Thanks.
The certificates are deployed through Active Directory. So to be able to import the Root Certificate, export the Root Certificate and import this certificate in SCCM 2012!
Use the certifcate mmc on a domain-joined machine to do the export.