Sep 03 2020 05:09 PM
Hi!
I have a current SCCM setup that runs on an HTTP comms (MP, SUP DP). Then recently i switch the MP and DP to HTTPS configured certificates. Do i have to enroll client certificates to the workstations? I switch this to HTTPS for MAC computers. for windows computers i want to retain this on http. is it possible? SCCM architecture is cross forest. domain A has sccm(MP,SUP,DP) and domain B(DP) all workstations are on domain B(windows and Mac computers).
Sep 04 2020 04:55 AM
Solution@christian31 For HTTPS communication between clients and site system roles such as management points and distribution points, clients require a valid workstation authentication certificate. See Plan for security in Configuration Manager and PKI certificate requirements for Configuration Manager for more information.
Sep 06 2020 05:23 PM
Sep 07 2020 06:15 AM
@christian31 It may be possible, but I wouldn't recommend it... You'd have to create, export and import a unique certificate for each and every client, and you'd have to renew the certificates manually before they expire as well.
Sep 07 2020 05:28 PM
Sep 08 2020 12:01 AM
@christian31 That would be the way to go, yes. Good luck!
Jun 15 2022 01:51 AM
It's not easy to PKI https just for SCCM DP. This is not because of the SCCM complex scenario but rather the complex setup and cert templates that you need for PKI root and intermediate client/server certs that you need to deploy ... more over maintaining (revocation, etc) in a VPN work from home kind of a scenario.
I have seen challenges to get the correct certs created using the correct templates and then deploying them. Maintaining the certs is another big headache :)
I tried to explain this long back - https://www.anoopcnair.com/setting-up-https-mp-sup-sccm-site-systems/
But if you ask me I would go with the eHttp option for SCCM secured communication.
Mac Support for SCCM is going away anyways so better to migrate those mac computers to some other device management solution.
Sep 04 2020 04:55 AM
Solution@christian31 For HTTPS communication between clients and site system roles such as management points and distribution points, clients require a valid workstation authentication certificate. See Plan for security in Configuration Manager and PKI certificate requirements for Configuration Manager for more information.