IBCM Server>>Any Certificates Expert : Need your Intervention
IBCM server with MP,DP & SUP role installed dedicatedly used for Internet Clients.
IBCM Server internal FQDN & Public FQDN both are different.
Internal FQDN : configmgr.xyz.com
Public FQDN : configmgr.abcxyz.com
Using Internal CA Web Server Authentication certificate for Public FQDN.
All is working perfectly fine…Clients are getting trusted and communication is working as expected.
During External VAPT (Vulnerability Assessments & Penetration Testing) , we got a RED mark saying that the Intermediate Certificate is missing.
This can be because we have a single tier Certificate Authority & don’t have the Subordinate CA to issue Intermediate Certificate.
We have External CA Wild Card certificates for both the domains.
Site Server is only used for Internet Based clients but then SUP role is also installed so the Web Server certificate must have the SAN entry for Internal FQDN as well.
1 way here is to change the Public FQDN to match with internal FQDN , that way , we can use the Wild card public certificate for e.g. xyz.com domain.
Clients will automatically picks up the new Internet FQDN via GPO but then there are systems who never been to VPN since COVID-19. Those will be in ORPHAN state.
2nd way is to purchase a Dedicated external cert for IBCM server having both the SAN entries and Assuming , since it will be a Publicly trusted CA, my clients will automatically trust & communicate.
Kindly suggest the best way forward.
Answer ( 1 )
Are you already able to fix the issue?
I don’t have many inputs here
But this is PKI security issue not an SCCM issue… isn’t it?
I will try to move away from IBCM and use CMG … Does that work for you?