Part of the joy of flipping that HTTPS switch on the site is watching as your site’s clients gradually start communicating over HTTPS in ever greater numbers.
For information on generating the client side certificate via your internal PKI, check this TechNet article here. It might look overwhelming, but in all honesty once you’ve got your Certificate Authority (CA) up and running, it’s a cake walk.
It must be noted that whilst your Config Manager site will work with HTTPS or HTTP by default, you must tick the box to use the PKI certificate (where available), as per below. I ticked this box before I made any other changes and no ill effects were experienced.
My biggest headache was how to get the clients migrated over. I had seen many people talking about using the .EXE commands such as /USEPKICERT or /NOCRLCHECK, but I knew I couldn’t apply these via the site’s client installation properties tab as you can only specify MSI properties in here. So I did it like so:
I didn’t faff around with the certificate specification stuff. I just let it do its thing. The key extra is the inclusion of CCMHOSTNAME, which tells the client where to go for its internet facing Management Point.
You must remember that the value specified next to CCMHOSTNAME has to match the FQDN you registered on a public DNS and specified as a SAN on the web server certificate.
So what next? How do you tell your existing clients to use HTTPS? Will CCMHOSTNAME be enough for new client installs?
The answers were nice and easy. Assuming you’ve configured the certificate as per the TechNet guide above, it will have autoenroll set. Go into Group Policy, and configure autoenroll for your domain PCs.
That’s it. I’d recommend staggering the Group Policy Object (GPO) rollout to avoid overwhelming the CA, but in the space of a few weeks I watched with a nice warm feeling as I hit several thousand successful hits, both in the CA console and a very useful Config Manager report (mentioned at the end of this post!).
Interestingly the client seems almost born to do this. As soon as the autoenrolled certificate is, er, autoenrolled, the Config Manager client immediately seems to register this. I’m putting it down to a Timey Wimey, Wibbly Wobbly effect. It’s explained very effectively here:
If you’ve done it right, you’ll see the following in the ClientIDManagerStartup log:
Okay, this pleases me! Simply applying the certificate to the PC results in it automatically flipping over to PKI. Assuming you’ve set a Management Point for HTTPS and:
If you go into the Config Manager applet via the Control Panel, you’ll see it has now changed, Marvellous!
Whoop! You can use one of the Config Manager reports to show how many PCs are using HTTPS, with no additional configuration. The report is under Site – Client Information and is called Count of clients and protocol used for communication:
So in short, very little effort and for once everything went as planned.