Hey, so I'm going back to working on my lab, and now I'm adding a Cloud Management Gateway (CMG). If you followed along, you'll be all set for where I pick up.
Assumptions, you've got an Internal Enterprise CA setup, and you'll use your Internal CA to support CMG and the required Certs needed.
See the Certificate Authority Post to help setup your CA if you haven't done that yet.
I'll also mention this is NOT the only way to setup CMG, you can do it without an Internal CA, and use a certificate from a 3rd party Certificate Authority, but I'm not going to cover that here.
Recommended Reading / Viewing:
Full disclosure, those are the three items I used to setup CMG, and I highly recommend them. So why continue? MS Docs are good, but I'm a visual guy and like to see the images. The Videos are great, but then you've got to get good at pausing videos and working through it. It's just a matter of personal preference. I give credit to those three items for educating me to be able to create this content.
With that intro behind, let's layout how we're going to go through this:
With that outline, lets get started.
So, what Certificates are needed? [MS Docs]
So hopefully you setup your CA, set the Client Auth Cert to Auto Enroll and all of your clients have the cert. For a good walk through, Justin has that on Video too: [YouTube @ 9:26]
You create a Duplicate of Workstation Cert, Name it what you want, then add Domain Computers to have Read, Enroll and Autoenroll security rights.
On the workstations, they auto-enroll and will get this after the next policy update:
Here you'll make a duplicate of the Web Server Certificate, and setup a few things. Justin's video does good job of explaining this too.
Here I've got it set to a group of servers, so I can enroll from any of those to create the cert to export. Now on one of my webservers, I can request the cert:
Now that we have it, we need to export it
Yes, export that private key!
Now then, save the cert pfx file for use when we setup the CMG stuff.
While there are several ways to get this, this is how I did it, since I was already here:
Certificate Authority Console -> Right Click on Server -> Properties -> General -> View Certificate -> Details -> Copy to file... -> Next
DER (.CER) is what we need.
Then Save it to a location.
One more thing we'll want to do in CM is allow CM to use the PKI cert. [MS Docs]
Administration Node -> Site Configuration -> Sites -> Properties -> Communication Security Tab
This cert and others will be used in other places, but this is getting long enough for now. Stick around for the next post.
Related Blog Posts: