Hi,
IBCM server with MP,DP & SUP role installed dedicatedly used for Internet Clients.
IBCM Server internal FQDN & Public FQDN both are different.
Internal FQDN : configmgr.xyz.com
Public FQDN : configmgr.abcxyz.com
Using Internal CA Web Server Authentication certificate for Public FQDN.
Client Auth Certificate installed on all Windows10 machines.
All is working perfectly fine…Clients are getting trusted and communication is working as expected.
During External VAPT (Vulnerability Assessments & Penetration Testing) , we got a RED mark saying that the Intermediate Certificate is missing/Untrusted Root Anchor
This can be because we have a single tier Certificate Authority & don’t have the Subordinate CA to issue Intermediate Certificate.
We have External CA Wild Card certificates for both the domains.
Site Server is only used for Internet Based clients but then SUP role is also installed so the Web Server certificate must have the SAN entry for Internal FQDN as well.
1 way here is to change the Public FQDN to match with internal FQDN , that way , we can use the Wild card public certificate for e.g. xyz.com domain.
Will it work...?? & What about the Client Auth Certificates in this scenario.
Clients will automatically picks up the new Internet FQDN via GPO but then there are systems who never been to VPN since COVID-19. Those will be in ORPHAN state.
2nd way is to purchase a Dedicated external cert for IBCM server having both the SAN entries and Assuming , since it will be a Publicly trusted CA, my clients will automatically trust & communicate.
Kindly suggest the best way forward.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 21%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDV%3C/text%3E%3C/svg%3E)
