Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Plan for PKI certificates in Configuration Manager
In this articleApplies to: Configuration Manager (current branch) Configuration Manager uses public key infrastructure (PKI)-based digital certificates when available. Use of these certificates is recommended for greater security, but not required for most scenarios. You need to deploy and manage these certificates independently from Configuration Manager. This article provides information about PKI certificates in Configuration Manager to help you plan your implementation. For more general information about the use of certificates in Configuration Manager, see Certificates in Configuration Manager. PKI certificate revocationWhen you use PKI certificates with Configuration Manager, plan for use of a certificate revocation list (CRL). Devices use the CRL to verify the certificate on the connecting computer. The CRL is a file that a certificate authority (CA) creates and signs. It has a list of certificates that the CA has issued but revoked. When a certificate administrator revokes certificates, its thumbprint is added to the CRL. For example, if an issued certificate is known or suspected to be compromised. Important Because the location of the CRL is added to a certificate when a CA issues it, make sure that you plan for the CRL before you deploy any PKI certificates that Configuration Manager uses. IIS always checks the CRL for client certificates, and you can't change this configuration in Configuration Manager. By default, Configuration Manager clients always check the CRL for site systems. Disable this setting by specifying a site property and by specifying a CCMSetup property. Computers that use certificate revocation checking but can't locate the CRL behave as if all certificates in the certification chain are revoked. This behavior is because they can't verify if the certificates are in the certificate revocation list. In this scenario, all connections fail that require certificates and include CRL checking. When validating that your CRL is accessible by browsing to its HTTP location, it's important to note that the Configuration Manager client runs as LOCAL SYSTEM. Testing CRL accessibility with a web browser under a user context may succeed, but the computer account may be blocked when attempting to make an HTTP connection to the same CRL URL. For example, it can be blocked because of an internal web filtering solution like a proxy. Add the CRL URL to the approved list for any web filtering solutions. Checking the CRL every time that a certificate is used offers more security against using a certificate that's revoked. It does introduce a connection delay and more processing on the client. Your organization may require this security check for clients on the internet or an untrusted network. Consult your PKI administrators before you decide whether Configuration Manager clients need to check the CRL. When both of the following conditions are true, consider keeping this option enabled in Configuration Manager:
PKI trusted root certificatesIf your IIS site systems use PKI client certificates for client authentication over HTTP, or for client authentication and encryption over HTTPS, you might have to import root CA certificates as a site property. Here are the two scenarios:
If you need to import root CA certificates for Configuration Manager, export them from the issuing CA or from the client computer. If you export the certificate from the issuing CA that's also the root CA, don't export the private key. Store the exported certificate file in a secure location to prevent tampering. You need access to the file when you set up the site. If you access the file over the network, make sure the communication is protected from tampering by using IPsec. If any root CA certificate that you import are renewed, import the renewed certificate. These imported root CA certificates and the root CA certificate of each management point create the certificate issuers list. Configuration Manager computers use this list in the following ways:
PKI client certificate selectionIf your IIS site systems use PKI client certificates for client authentication over HTTP or for client authentication and encryption over HTTPS, plan for how Windows clients select the certificate to use for Configuration Manager. Note Some devices don't support a certificate selection method. Instead, they automatically select the first certificate that fulfills the certificate requirements. For example, clients on macOS computers and mobile devices don't support a certificate selection method. In many cases, the default configuration and behavior are sufficient. The Configuration Manager client on Windows computers filters multiple certificates by using these criteria in this order:
Configure clients to use the certificate issuers list by using the following mechanisms:
If clients don't have the certificate issuers list when they're first installed, and aren't yet assigned to the site, they skip this check. When clients do have the certificate issuers list, and don't have a PKI certificate that chains to a trusted root certificate in the certificate issuers list, certificate selection fails. Clients don't continue with the other certificate selection criteria. In most cases, the Configuration Manager client correctly identifies a unique and appropriate PKI certificate. When this behavior isn't the case, instead of selecting the certificate based on the client authentication capability, you can set up two alternative selection methods:
The following table shows the attribute values that Configuration Manager supports for the client certificate selection criteria:
Note If you configure either of the above alternate certificate selection methods, the certificate Subject Name doesn't need to contain the local computer name. If more than one appropriate certificate is located after the selection criteria are applied, you can override the default configuration to select the certificate that has the longest validity period. Instead, you can specify that no certificate is selected. In this scenario, the client can't communicate with IIS site systems with a PKI certificate. The client sends an error message to its assigned fallback status point to alert you to the certificate selection failure. Then you can change or refine your certificate selection criteria. The client behavior then depends on whether the failed connection was over HTTPS or HTTP:
To help identify a unique PKI client certificate, you can also specify a custom store other than the default of Personal in the Computer store. Create a custom certificate store outside of Configuration Manager. You need to be able to deploy certificates to this custom store and renew them before the validity period expires. For more information, see Configure settings for client PKI certificates. Transition strategy for PKI certificatesThe flexible configuration options in Configuration Manager let you gradually transition clients and the site to use PKI certificates to help secure client endpoints. PKI certificates provide better security and enable you to manage internet clients. This plan first introduces PKI certificates for authentication only over HTTP, and then for authentication and encryption over HTTPS. When you follow this plan to gradually introduce these certificates, you reduce the risk that clients become unmanaged. You'll also benefit from the highest security that Configuration Manager supports. Because of the number of configuration options and choices in Configuration Manager, there's no single way to transition a site so that all clients use HTTPS connections. The following steps provide general guidance:
Next steps
FeedbackSubmit and view feedback for What are client certificates used for?Client Certificates are digital certificates for users and individuals to prove their identity to a server. Client certificates tend to be used within private organizations to authenticate requests to remote servers.
What is client authentication certificate?Client Certificate Authentication is a mutual certificate based authentication, where the client provides its Client Certificate to the Server to prove its identity. This happens as a part of the SSL Handshake (it is optional).
Is client certificate required for SSL?Generally, most web servers running HTTPS do not require the client to have a certificate. If the server requires the client to authenticate, this is often done through credentials (e.g. username and password).
What is client certificate key file?Client certificates are utilized for the validation of a client's identity to the server, and Server Certificate validates server identity to the client. To protect your data from malicious activities client certificates and server certificates are being thoroughly used.
|