SOLVED

SCCM - HTTPS or HTTP communication

Brass Contributor

Hi!

 

I have a current SCCM setup that runs on an HTTP comms (MP, SUP DP). Then recently i switch the MP and DP to HTTPS configured certificates. Do i have to enroll client certificates to the workstations? I switch this to HTTPS for MAC computers. for windows computers i want to retain this on http. is it possible? SCCM architecture is cross forest. domain A has sccm(MP,SUP,DP) and domain B(DP) all workstations are on domain B(windows and Mac computers).

6 Replies
best response confirmed by christian31 (Brass Contributor)
Solution

@christian31 For HTTPS communication between clients and site system roles such as management points and distribution points, clients require a valid workstation authentication certificate. See Plan for security in Configuration Manager and PKI certificate requirements for Configuration Manager for more information.

Hi Michiel,

Thank you!
Another question my CA and MP is on other forest(forestA). is it possible to export and import workstation authentication certificate to the other forest(ForestB)? all my workstation is on the other forest(ForestB).

@christian31 It may be possible, but I wouldn't recommend it... You'd have to create, export and import a unique certificate for each and every client, and you'd have to renew the certificates manually before they expire as well.

Thanks for your help Michiel!
I think Cross Forest PKI would my only solution for this.

@christian31 That would be the way to go, yes. Good luck!

@christian31 

It's not easy to PKI https just for SCCM DP. This is not because of the SCCM complex scenario but rather the complex setup and cert templates that you need for PKI root and intermediate client/server certs that you need to deploy ... more over maintaining (revocation, etc) in a VPN work from home kind of a scenario.

 

I have seen challenges to get the correct certs created using the correct templates and then deploying them. Maintaining the certs is another big headache :)

 

I tried to explain this long back - https://www.anoopcnair.com/setting-up-https-mp-sup-sccm-site-systems/

But if you ask me I would go with the eHttp option for SCCM secured communication.

Mac Support for SCCM is going away anyways so better to migrate those mac computers to some other device management solution.

1 best response

Accepted Solutions
best response confirmed by christian31 (Brass Contributor)
Solution

@christian31 For HTTPS communication between clients and site system roles such as management points and distribution points, clients require a valid workstation authentication certificate. See Plan for security in Configuration Manager and PKI certificate requirements for Configuration Manager for more information.

View solution in original post