Share via

HTTPS PKI Certificates

Matt Dillon 437 Reputation points
2021-03-02T21:32:53.887+00:00

Working on a client's SCCM environment and brain farting.

If a new DP is setup, do they need to add the IIS certificate to the Personal Certificates? If so, in the Alternative name/ DNS do they enter the primary site server name of the DP name. Do they also need to go into IIS and add the https to point to that cert? I cannot remember if this is automatic or if this is a manual process on the actual distribution point server?

Or am I completely off and just not thinking and they simply just add the PFX in the console.

Community Center | Not monitored
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anoop C Nair 21 Reputation points MVP
    2022-06-15T08:43:19.453+00:00

    It's not easy to PKI https just for SCCM DP. This is not because of the SCCM complex scenario but rather the complex setup and cert templates that you need for PKI root and intermediate client/server certs that you need to deploy ... more over maintaining (revocation, etc) in a VPN work from home kind of a scenario.

    I have seen challenges to get the correct certs created using the correct templates and then deploying them. Maintaining the certs is another big headache :)

    I tried to explain this long back - https://www.anoopcnair.com/setting-up-https-mp-sup-sccm-site-systems/

    But if you ask me I would go with the eHttp option for SCCM secured communication.

    KR
    Anoop

    0 comments
  2. SunnyNiu-MSFT 1,711 Reputation points
    2021-03-03T09:40:04.083+00:00

    @Matt Dillon
    Here is an answer to your question that hopefully you find helpful!
    For a new DP, These are the manual processes that need to be configured on the distribution point server:
    1)add the IIS certificate to the Personal Certificates
    2)add the https to point to that cert
    Here are also articles with detailed steps that we may refer to:
    https://www.windows-noob.com/forums/topic/16300-how-can-i-configure-system-center-configuration-manager-in-https-mode-pki-part-1/ (Third-party link, just for your reference.)
    https://www.windows-noob.com/forums/topic/16301-how-can-i-configure-system-center-configuration-manager-in-https-mode-pki-part-2/ (Third-party link, just for your reference.)

    If the response is helpful, please click "Accept Answer"and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.