Jay Paloma's Tech and Music Blog

Sometimes, this writer can no longer distinguish between the two.

Implementing HTTPS on Configuration Manager 2012 R2 – Certificates

leave a comment »


Here are some of first-hand experience insights on implementing HTTPS on Configuration Manager R2

You require 3 certificate templates:

  • Server Authentication Certificate. This is your standard SSL certificate template, but bear in mind that the Reporting Services Point has a requirement that could be easily overlooked: its Alternate Subject should use the DNS format instead of the default Fully Distinguished Name format. Since the DNS naming does not contradict with any other SCCM requirements, better make sure that your Alternate Subject Name follows the DNS name format so you could use this same template when you implement HTTPS on RSP. This certificate is used on all your MPs, DPs, SUPs, RSPs, and even Application Catalog if you also covered all other FQDN options for your Application Catalog Server.
  • Client Authentication Certificate. This is the client certificate that you will issue on all your clients.
  • Client Authentication Certificate with an Exportable Private Key. Once you convert your DP to HTTPS, you will be asked for a .pfx file. This template is used to create the certificate that you will eventually export out as .pfx file. Don’t use the Client Authentication Certificate above, because you give this one the ability to export out the private key. You don’t want to have all those rogue, exported client certificates.

Windows Server Update Services (WSUS) / Software Update Point (SUP). Note that the TCP ports in use by WSUS is different (HTTP is TCP 8530, HTTPS is TCP 8531). The minor snag in WSUS/SUP is that you cannot enforce SSL all the way, and that HTTPS imposes an additional 10% performance degradation on your machine. Chances are, this SUP is also your DP and MP, so be aware.

SQL Server Reporting Services (SSRS) / Reporting Services Point (RSP). Special requirement for RSP Certificate template. See “Server Authentication Certificate” above.

Advertisements

Written by jpaloma

November 7, 2015 at 5:28 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: