SOLVED

SCCM - HTTPS or HTTP communication

%3CLINGO-SUB%20id%3D%22lingo-sub-1633921%22%20slang%3D%22en-US%22%3ESCCM%20-%20HTTPS%20or%20HTTP%20communication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1633921%22%20slang%3D%22en-US%22%3E%3CP%3EHi!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20current%20SCCM%20setup%20that%20runs%20on%20an%20HTTP%20comms%20(MP%2C%20SUP%20DP).%20Then%20recently%20i%20switch%20the%20MP%20and%20DP%20to%20HTTPS%20configured%20certificates.%20Do%20i%20have%20to%20enroll%20client%20certificates%20to%20the%20workstations%3F%20I%20switch%20this%20to%20HTTPS%20for%20MAC%20computers.%20for%20windows%20computers%20i%20want%20to%20retain%20this%20on%20http.%20is%20it%20possible%3F%20SCCM%20architecture%20is%20cross%20forest.%20domain%20A%20has%20sccm(MP%2CSUP%2CDP)%20and%20domain%20B(DP)%20all%20workstations%20are%20on%20domain%20B(windows%20and%20Mac%20computers).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1635409%22%20slang%3D%22en-US%22%3ERe%3A%20SCCM%20-%20HTTPS%20or%20HTTP%20communication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1635409%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F280839%22%20target%3D%22_blank%22%3E%40christian31%3C%2FA%3E%26nbsp%3BFor%20HTTPS%20communication%20between%20clients%20and%20site%20system%20roles%20such%20as%20management%20points%20and%20distribution%20points%2C%20clients%20require%20a%20valid%20workstation%20authentication%20certificate.%20See%26nbsp%3B%3CA%20title%3D%22Plan%20for%20security%20in%20Configuration%20Manager%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fconfigmgr%2Fcore%2Fplan-design%2Fsecurity%2Fplan-for-security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPlan%20for%20security%20in%20Configuration%20Manager%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20title%3D%22PKI%20certificate%20requirements%20for%20Configuration%20Manager%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fconfigmgr%2Fcore%2Fplan-design%2Fnetwork%2Fpki-certificate-requirements%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPKI%20certificate%20requirements%20for%20Configuration%20Manager%3C%2FA%3E%26nbsp%3Bfor%20more%20information.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1639889%22%20slang%3D%22en-US%22%3ERe%3A%20SCCM%20-%20HTTPS%20or%20HTTP%20communication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1639889%22%20slang%3D%22en-US%22%3EHi%20Michiel%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you!%3CBR%20%2F%3EAnother%20question%20my%20CA%20and%20MP%20is%20on%20other%20forest(forestA).%20is%20it%20possible%20to%20export%20and%20import%20workstation%20authentication%20certificate%20to%20the%20other%20forest(ForestB)%3F%20all%20my%20workstation%20is%20on%20the%20other%20forest(ForestB).%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi!

 

I have a current SCCM setup that runs on an HTTP comms (MP, SUP DP). Then recently i switch the MP and DP to HTTPS configured certificates. Do i have to enroll client certificates to the workstations? I switch this to HTTPS for MAC computers. for windows computers i want to retain this on http. is it possible? SCCM architecture is cross forest. domain A has sccm(MP,SUP,DP) and domain B(DP) all workstations are on domain B(windows and Mac computers).

5 Replies
Highlighted
Best Response confirmed by christian31 (Contributor)
Solution

@christian31 For HTTPS communication between clients and site system roles such as management points and distribution points, clients require a valid workstation authentication certificate. See Plan for security in Configuration Manager and PKI certificate requirements for Configuration Manager for more information.

Highlighted
Hi Michiel,

Thank you!
Another question my CA and MP is on other forest(forestA). is it possible to export and import workstation authentication certificate to the other forest(ForestB)? all my workstation is on the other forest(ForestB).
Highlighted

@christian31 It may be possible, but I wouldn't recommend it... You'd have to create, export and import a unique certificate for each and every client, and you'd have to renew the certificates manually before they expire as well.

Highlighted
Thanks for your help Michiel!
I think Cross Forest PKI would my only solution for this.
Highlighted

@christian31 That would be the way to go, yes. Good luck!