IBCM Server>>Hey Certificates/PKI Expert : Need your Intervention

Deepak Verma 1 Reputation point
2020-10-19T06:23:48.31+00:00

Hi,

IBCM server with MP,DP & SUP role installed dedicatedly used for Internet Clients.

IBCM Server internal FQDN & Public FQDN both are different.

Internal FQDN : configmgr.xyz.com

Public FQDN : configmgr.abcxyz.com

Using Internal CA Web Server Authentication certificate for Public FQDN.
Client Auth Certificate installed on all Windows10 machines.

All is working perfectly fine…Clients are getting trusted and communication is working as expected.

During External VAPT (Vulnerability Assessments & Penetration Testing) , we got a RED mark saying that the Intermediate Certificate is missing/Untrusted Root Anchor

This can be because we have a single tier Certificate Authority & don’t have the Subordinate CA to issue Intermediate Certificate.

We have External CA Wild Card certificates for both the domains.

Site Server is only used for Internet Based clients but then SUP role is also installed so the Web Server certificate must have the SAN entry for Internal FQDN as well.

1 way here is to change the Public FQDN to match with internal FQDN , that way , we can use the Wild card public certificate for e.g. xyz.com domain.
Will it work...?? & What about the Client Auth Certificates in this scenario.

Clients will automatically picks up the new Internet FQDN via GPO but then there are systems who never been to VPN since COVID-19. Those will be in ORPHAN state.

2nd way is to purchase a Dedicated external cert for IBCM server having both the SAN entries and Assuming , since it will be a Publicly trusted CA, my clients will automatically trust & communicate.

Kindly suggest the best way forward.

Microsoft Security | Intune | Configuration Manager | Other
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Simon Ren-MSFT 40,346 Reputation points Microsoft External Staff
    2020-10-20T07:51:29.397+00:00

    Hi,

    Thanks for posting in Microsoft MECM Q&A forum.

    This is a complex question, we have limited resource about it. To get better support, it’s recommended to submit a case with Microsoft:
    https://support.microsoft.com/en-us/help/28808/microsoft-store-contact-support

    Thanks for your understanding.

    Best regards,
    Simon


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.