Configuration Manager - Setting up Cloud Services using Wildcard Certificates

Hello all,

I wanted to take a second to introduce a new contributor to the blog, Matt Toto.  Matt and I have known each other for about 5 years and have even teamed up on some customer engagements recently.  I asked Matt if he'd like to bring his expertise to this blog and he graciously agreed.  With that, take it away Matt....

===================================================================================================================

Hi Everyone!  This is Matt Toto, I'm a ConfigMgr PFE focused on Cloud Services.  In this article I'll be sharing how to use a wildcard certificate for setting up both the Cloud Management Gateway and Cloud Distribution Point.  Support for this capability was added to Configuration Manager in 1802.

Using a Wildcard Certificate to Create Cloud Service is Configuration Manager (CMG and CDP) has a lot of benefits.  It reduces cost and maintenance of PKI.  This single wildcard cert can be used as a Management Certificate, if using Classic Deployment Model.  As well as be used to create potentially unlimited CMG's and CDP's.  The process is quite simple.  Let's get started!

 

Step one is to obtain a wildcard cert for your domain.  For example, *.contoso.com, using either Internal PKI or Publicly Provided.  In my lab I use a public cert, provided by DigiCert, for an ARM CMG, this example is based off that configuration.

Next you'll need to create a Cloud Management Gateway in Configuration Manager.  On the General tab, sign in as an administrator account to provide Configuration Manager with access to your subscription info.

 

 

On the Settings Page of the Wizard specify your wildcard certificate, enter the password.  You will receive the following prompt, informing you about the Common Name (CNAME) of the certificate having a wildcard.  Its ok, we'll fix that in a bit.  For now, just click OK, ok?

 

 

Initially your screen will look something similar to this.  Note that its telling you the name cannot contain special characters.  Which, for the moment, it does.

 

 

This is where you come in!  Notice the Service FQDN box?  Yes, it does look unhappy with that red SPLAT.  But, it also looks like you can type in that box, right?  Normally you cannot enter text here because it is auto-populated, based on the CNAME field in the certificate.  In this case, because it’s a wildcard, you actually NEED to type a unique name here.

 

 

 

Go ahead, type something unique.  All you have to do is come up with a unique name, enter it in the box, then click out of the box.  Once you do that the Service Name box will display the name provided and you can continue with the setup.  Like so…

 

 

After finishing out the Wizard, the service will be provisioned with that as its 'Service Name' and the Cloud Service Name will be appended with .cloudapp.net

 

 

Now that the service is provisioned, you'll need to update DNS.  Add a CNAME that maps the Service Name (which is the name that your SCCM Client will try to resolve) to the Cloud Service Name which will be, in this example, UniqueName.cloudapp.net.

 

 

 

That's it!  Support for the wildcard certificate is a game changer for setting up the Cloud Management Gateway and Cloud Distribution Point in Azure!

Comments

  • Anonymous
    July 16, 2018
    Hi Matt,Thank you for sharing.I have a query related to certificate for CMG. When creating the CSR for CMG VM, Does CSR should contain one of the SAN as CMGVM01.cloudapp.net? or CSR can be only CMGVM01.companyinternaldomain.com?
    • Anonymous
      July 17, 2018
      For the CMG cert, our guidance on the SAN field, is to use it as a means of identifying the certificate. My recommendation would be to only use your companyinternaldomain.com if you are going to use a Public certificate provider. If you are using internal PKI then there is no harm in putting either or both in the SAN field.
  • Anonymous
    June 14, 2019
    Hello. Can a public cert have 4 SAN names ?I have a a cert with that, but the cmg can only see 2 of them.