This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 93%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
I am using Config Manager 2107 and have enabled HTTPS-only client communication. I have several scenarios where clients with existing certificates have the wrong certificate selected and the connection fails.
Given the options available with the client (an alternate store or subject attribute prerequisites), how can we deploy auto-enrolled certificates using an Active Directory integrated certificate authority with templates?
I am not aware of any facility on the template to specify any of the criteria that the clients could use?
I am going to manage enrollment with a script as per Using a custom certificate store for Configuration Manager client authentication certificates
Thank you very much for the update and we're glad the problem is solved now. Please accept your reply as answer, we believe this will be very beneficial for other community members who have similar questions.
Hi, @ritmo2k
Thank you for posting in Microsoft Q&A forum.
We may try to configure the "Client certificate selection criteria when more than one certificate is available" in the site setting to manage the certificate selection.
We can go through this path: CM console > Administration > Site Configuration > Sites > right-click the site and choose Properties > select Communication Security tab.
And then, modify the Client certificate selection Settings.
For more details:
https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/configure-security#client-pki-certificates
For more information about the client certificate selection method, see Planning for PKI client certificate selection.
https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/plan-for-certificates#pki-client-certificate-selection
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
It seems there is no update for a couple of days. May we know the current status of the problem? Is there any other assistance we can provide?
I have this old strong believe, that in PKI, you should keep your certificates at minimun and try utilize same cert for multiple purposes. For example, CM https and DirectAccess utlize same cert. How many different certs you have deployed to your computer store into your workstations?
I also suggest take a closer look at ms docs documentation about certificate templates need to be created for CM and make sure you have created the workstation template exacly as MS says. It is also common mistake in PKI, that admins just create default template without reading documentation.
In ClientAuth.log you can see by cert thumbprint, which cert it selected for CM services and what happends during the autherization.
The client certificates have been created exactly as per the documentation, and the incorrect selection was inferred from the client logs.
In most cases, clients only have the single certificate that was auto-enrolled as per Config Manager's requirement. However, it's naive to think that in an enterprise, even servers will only have a single certificate, web servers, Exchange, and other servers have similar certificate requirements.
Microsoft introduced EHTTP to address such issues and reduce the overhead involved in managing PKI certificates. I am not saying that EHTTP replaces the security the PKI offers, but at the end of the day the goal should be to secure client communication and EHTTP does exactly that. Maybe something to think about.