Solved Enabling SSL on SCCM

---

Hi guys,

I was wondering if someone can point out some tips on what to look for. I setup a lab to play around with SCCM and i was having success pushing out clients to test machines as well as deploying patches. I decided to play around with enabling PKI on the clients. Here is an overview of the steps I performed

I created a SCCM DP certificate (for the distribution point to enable the certificate in the component settings). I published it and imported it.
I created a SCCM Web server Certificate (for IIS). Binded 443 and can get to http://localhost:80 and https://localhost:443 from the server
I created a SCCM Client certificate (this is for the end points and created a GPO and pushed it out). I checked the personal store of a couple of machines an they have the certificate enrolled from the SCCM server) I got that working.

Once I enabled the DP to SSL, I lost all my connections (green checks) with the clients. I figured it will take some time for all the clients to update but I have been waiting for a couple of hours and the clients list as self-signed instead of PKI.

I tested from the client to see if i could navigate to the 80 and 443 pages of the SCCM server and i receive the IIS welcome page on port 80 but for 443 I receive a ERR_CONNECTION_TIMED_OUT.

I am a little stuck on what to try. I looked at the SCCM video you guys posted but it really didn't talk about SSL at all. Is there something I am missing or something I should look at to decipher why the clients are stuck?

Thanks in advance for any assistance.

@Nicholas-Wasenda,

What is the point of the SCCM Client Certificate? Are you having your web server authenticate against the client for 2 way mutual authentication? if so, make sure that the Web Server also has a copy of each client's pub key cert too.

I thought the point of the SCCM Client Certificate is to enable the change from "self-signed" in the SCCM client on the machines to "PKI" in the client due to the GPO that pushed out the certificate from the server to the clients.

How would I determine if the web server has a copy of the client's pub key cert? And how would SCCM validate this?

Is there anything on it pro.tv that showcases this?

@Nicholas-Wasenda,

I"m not completely sure if the entirety of all SCCM content is completed yet. So it may be in the future but I'm not sure when that will be scheduled.

But after reading through some of the other elements involved with PKI and SCCM. You may need to** deploy the client certificate for distribution points**.

The most guided blog post on this that I found is here

Thanks for your help Ronnie. It would be great if an updated SCCM course will be published. I believe they are at 1702 branch, since they don't refer to the new version of "SCCM 2016", but rather by the branches. Do you know if that is in the works?

@Nicholas-Wasenda,

The best way to see this is possible is through the official course request list through the course library!