HTTPS Communication SCCM 2012 SP1 (Part 2) 7

If you do a default installation of ConfigMgr 2012 the clients will communicate over HTTP with the Management Point. Also all traffic from the Distribution Point will be over HTTP. And if you use the Application Catalog, well that’s HTTP also.

In this 3 post series I will explain the steps to go from HTTP to HTTPS communication.
The first post (HERE) I explained the Certificates needed, the second (this one) and third one (HERE) will do the actual work of transforming ConfigMgr from HTTP to HTTPS.

What is going to happen in this post:

  • Have the Clients talk over HTTPS to the site server (Management Point)

 

With all the certificates in place let’s see if I can change the Client to communicate over PKI and HTTPS instead of HTTP and a self-signed certificate.

 

Site Server Communication

Export the Root CA Certificate as a DER encoded binairy X.509 (.CER) Certificate.

In the ConfigMgr console go to Administration – Overview – Site Configuration – Sites and select your Site.

Right-click and select Properties.

Go to the tab Client Computer Communication and change the setting to HTTPS Only. If you still have clients with HTTP then you can select HTTP or HTTPS.

Under Trusted Root Certification Authorities select your Root CA Certificate.

 

For a client that has already been deployed just wait and the Client Certificate will change to PKI.

And I am communicating over HTTPS with my PKI:

As I can also see in my ClientLocation.log

 

From the ccmsetup.log is visible that all communication is secure.

 

Part 1 Here.

Part 3 Here.

7 thoughts on “HTTPS Communication SCCM 2012 SP1 (Part 2)

  1. Pingback: HTTPS Communication SCCM 2012 SP1 « MS Tech BLOG

  2. Reply joe Apr 7,2013 6:29 pm

    Where exactly do I find the Root CA Certificate as a DER encoded binary X.509 (.CER) Certificate? I cant seem to get my MP working.

  3. Reply varun Dec 17,2013 12:25 pm

    I have SCCM 2012 MP for primary site for Intranet client only and i want to create separate site system for internet clients only with separate MP. I have setup certificates requirements like client ,DP and Web Server certificates.

    Is it possible . Please guide.

  4. Reply Derrek Mar 20,2014 7:29 pm

    Hi Stephan,

    Great write up, but I’m a bit confused on something and I’m hoping you can set me straight: in the section above you mention importing the Root CA Certificate as a DER encoded binary X.509 (.CER) Certificate, and that this was exported in the first article. However, in the first article, you have us export the Client certificate for Distribution Points. Aren’t these different certificates? Also, when I do the export in the first article, I’m not able to export it as a DER encoded binary X.509 (.CER) Certificate. I can only export it as a Personal Information Exchange – PKCS #12 (.PFX) certificate. Unless I select to NOT export the private key, then I can do DER encoded binary X.509. What gives? Please help. Thanks.

  5. Reply Stephan Wibier May 12,2014 12:11 pm

    The certificates are deployed through Active Directory. So to be able to import the Root Certificate, export the Root Certificate and import this certificate in SCCM 2012!
    Use the certifcate mmc on a domain-joined machine to do the export.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.