Planning for the use of certificates

One of the great things about Configuration Manager is that it actually uses a combination of PKI certificates and self-signed certificates. The documentation advises that you should use certificates as a best practice. This is sound advice and you should follow this where possible; however, I have found that usually people are more than willing to accept what little risk there is of not running with certificates.

Tip

Note that the setup of certificates is outside the scope of Configuration Manager and is not intended to replace a certificates specialist, as for troubleshooting you require deep knowledge of the setup of the certificate authority.

Certificates are required in some scenarios though; if you plan to use any one of the following features, then you are required to use certificates:

• Internet-based client management
• Management of mobile devices
• Management of Apple Mac devices
• Cloud distribution points
• Managing out of band computers with Intel AMT

You can use any certificate authority that supports the appropriate requirements for the certificates you require. I always like to use a Microsoft CA as it provides me with the ability to use autoenrolment for the client certificates when using an enterprise certificate authority. This becomes a very attractive solution when I need to deploy client certificates to any large number of devices. It also means that the certificates are centrally managed and the certificate revocation list (CRL) is also centrally managed.

When Configuration Manager detects that an appropriate certificate for use has been found, it will automatically use that certificate for communications. If a PKI certificate is not available for any reason, then a self-signed certificate will be generated by Configuration Manager instead.

Note

All the certificates that Configuration Manager can use must contain single-byte characters in the subject name or the subject alternative name.

Configuration Manager clients with certificates communicate with the appropriate site systems using HTTPS. This communication is encrypted using the industry standard SSL. Clients can also communicate using HTTP sometimes even when clients have certificates; these scenarios are as follows:

• When clients fall back to using HTTP after the client fails to communicate using HTTPS and the site system allows this configuration
• Communication with the following site system roles:
  • Fallback status point
  • PXE-enabled distribution point
  • Notification data sent to the management point