CMG Server Certificate

Question

Hi Team,

I'm going to create a CMG and thought of getting this clarified before that. For the CMG Server Certificate which will be importing during the CMG Creation wizard, Do we need to issue a whole new CERT from new web server cert template or IIS Certificate which we're using for MP can be used here?

Note: ConfigMgr is already working in HTTPS only using Internal PKI.

Answer 1

Yes, you need a new cert and should not in any way reuse a cert used for other purposes -- it won't even have the same subject name as any of your MPs so that's not even technically possible to reuse. Also, I strongly suggest purchasing a cert from a public CA for this purpose as it will prevent issues when provisioning clients off-prem or that are not domain joined.

Answer 2

Yep, for a POC, test environment, or the like, you can definitely use a cert generated using the standard web server cert template (or any that are equivalent) in ADCS and use that.

Answer 3

Hi @Simon Ren-MSFT , Managed to get this resolved by tweaking in keyvault part of this device over Azure.

Answer 4

Hi @Jason Sandys , Thank you for the response. I'll consider purchasing Public CA for the PROD. but for the POC, Just to be clear, we can use any web server cert template from CA to generate new certificate and use the same during CMG Creation wizard right?

Sorry, If I'm wrong. But please help me to understand clearly.

Answer 5

Thank you for your advice. Managed to create CMG and seems provision done. But when I try to run the connection analyzer, it was showing "Bad Gateway 502".

1. I tried stopping service and tried running connection analyzer again but it stops like this now.
2. Tried accessing the CMG through browser but got this error.