CMG server authentication certificate
Applies to: Configuration Manager (current branch)
The first step when you set up a cloud management gateway (CMG) is to get the server authentication certificate. The CMG creates an HTTPS service to which internet-based clients connect. The server requires a server authentication certificate to build the secure channel. You can acquire a certificate for this purpose from a public provider, or issue it from your public key infrastructure (PKI).
When you create the CMG in the Configuration Manager console, you provide this certificate. The common name (CN) of this certificate defines the service name of the CMG.
Note
You may need additional certificates for clients and management points. These certificates are covered in the third step of the CMG setup process, Configure client authentication.
A reminder of some CMG terminology that's used in this article:
Service name: The common name (CN) of the CMG server authentication certificate. Clients and the CMG connection point site system role communicate with this service name. For example,
GraniteFalls.contoso.comorGraniteFalls.WestUS.CloudApp.Azure.Com.Deployment name: The first part of the service name plus the Azure location for the cloud service deployment. The cloud service manager component of the service connection point uses this name when it deploys the CMG in Azure. The deployment name is always in an Azure domain. The Azure location depends upon the deployment method, for example:
- Virtual machine scale set:
GraniteFalls.WestUS.CloudApp.Azure.Com - Classic deployment:
GraniteFalls.CloudApp.Net
Important
This article uses examples with a virtual machine scale set as the recommended deployment method in version 2107 and later. If you use a classic deployment, note the difference as you read this article and prepare the server authentication certificate.
- Virtual machine scale set:
Choose the certificate type
First, decide where you want to get the certificate. There are several factors to consider.
Clients must trust the CMG server authentication certificate to establish the HTTPS channel with the CMG service. There are two methods to accomplish this trust:
Use a certificate from a public and globally trusted certificate provider.
Windows clients include trusted root certificate authorities (CAs) from these providers. By using a certificate issued by one of these providers, your clients automatically trust it.
There's a cost associated with this certificate, which is specific to the provider.
Use a certificate issued by an enterprise CA from your public key infrastructure (PKI).
Most enterprise PKI implementations add the trusted root CAs to Windows clients. For example, if you use Active Directory Certificate Services with group policy. If you issue the CMG server authentication certificate from a CA that your clients don't automatically trust, add the CA trusted root certificate to internet-based clients.
If you plan to install the Configuration Manager client from Intune, you can also use Intune certificate profiles to provision certificates on clients. For more information, see Configure a certificate profile.
Your organization may have an internal cost to issue certificates, but there are generally no external costs associated with this certificate.
Important
Before you get this certificate, make sure the service name is globally unique for the cloud service and storage account. Also make sure the name uses supported characters. For more information, see Globally unique name.
Summary comparison of certificate types
| Public provider | Enterprise PKI | |
|---|---|---|
| Client trust | Trusted in Windows by default | Automatic with some implementations, otherwise need to deploy |
| Cost | Yes | Not typical |
| Service name example | GraniteFalls.contoso.com |
GraniteFalls.contoso.com or GraniteFalls.WestUS.CloudApp.Azure.Com |
| DNS CNAME required | Yes | No for Azure domain service name (GraniteFalls.WestUS.CloudApp.Azure.Com) |
Note
The CMG server authentication certificate supports wildcards. Some certificate authorities issue certificates using a wildcard character for the service name prefix. For example, *.contoso.com. Some organizations use wildcard certificates to simplify their PKI and reduce maintenance costs.
For more information on how to use a wildcard certificate with a CMG, see Set up a CMG.
Globally unique name
This certificate requires a globally unique name to identify the service in Azure. Before you request a certificate, confirm that the Azure deployment name you want is unique. For example, GraniteFalls.WestUS.CloudApp.Azure.Com.
Virtual machine scale set
Sign in to the Azure portal.
From the Azure portal home page, select Create a resource under Azure services.
Search for Virtual machine scale set. Select Create.
Select the Subscription and Resource group that you'll use for the CMG.
In the Virtual machine scale set name field, type the prefix that you want. For example,
GraniteFalls.Select the Region that you'll use for the CMG. For example, (US) West US.
The interface reflects whether the domain name is available or already in use by another service.
Important
Don't create the service in the portal, just use this process to check the name availability.
Content-enabled CMG storage account
If you also enable the CMG for content, confirm that it's also a unique Azure storage account name. If the CMG deployment name is unique, but the storage account isn't, Configuration Manager fails to provision the service in Azure. Repeat the above process in the Azure portal with the following changes:
Search for Storage account.
Test your name in the Storage account name field.
Important
The DNS name prefix should be 3 to 24 characters long, and contain numbers and lowercase letters only. Don't use special characters, like a dash (-). For example: granitefalls.
Issue the certificate
The CMG server authentication certificate supports the following configurations:
2048-bit or 4096-bit key length
This certificate supports key storage providers for certificate private keys (v3). For more information, see CNG v3 certificates overview.
Use a public provider certificate
A third-party certificate provider can't create a certificate for an Azure domain like cloudapp.azure.com, because Microsoft owns those domains. You can only get a certificate issued for a domain you own. The main reason for acquiring a certificate from a third-party provider is that your clients already trust that provider's root certificate.
The specific process to get this certificate varies by provider. For more information, contact your third-party certificate provider.
For the web server certificate common name (CN):
You've made sure the deployment name is globally unique in Azure for the cloud service and storage account. For example,
GraniteFalls.WestUS.CloudApp.Azure.Com.To determine the service name, append the deployment name prefix (
GraniteFalls) to your organization's domain name (contoso.com).Use this service name for the certificate common name (CN). For example,
GraniteFalls.contoso.com.
Next, you need to create a DNS CNAME alias.
Use an enterprise PKI certificate
Issuing a web server certificate from your organization's PKI varies by product. The instructions for Deploying the service certificate for cloud-based distribution points are for Active Directory Certificate Services. This process generally applies for the CMG server authentication certificate.
For the web server certificate common name (CN):
You've made sure the deployment name is globally unique in Azure for the cloud service and storage account. For example,
GraniteFalls.WestUS.CloudApp.Azure.Com.To determine the service name, you have two options:
Use your domain name (recommended). Append the deployment name prefix (
GraniteFalls) to your organization's domain name (contoso.com). For example,GraniteFalls.contoso.com. For this option, you also need to create a DNS CNAME alias.Use the Azure deployment name. This option doesn't require a DNS CNAME alias. For example:
For the Azure public cloud:
GraniteFalls.WestUS.CloudApp.Azure.Com.For the Azure US Government cloud:
GraniteFalls.usgovcloudapp.net.
Note
If the Azure deployment name changes, you'll need to redeploy the service to change this service name. For example, if your service name is in the
cloudapp.netdomain, you can't convert the classic cloud service CMG to a virtual machine scale set. If you use your domain name for the CMG service name, then you can update the DNS CNAME for the new deployment name.
Use this service name for the certificate common name (CN).
Create a DNS CNAME alias
If the CMG service name uses your organization's domain name (GraniteFalls.contoso.com), you need to create a DNS canonical name record (CNAME). This alias maps the service name to the deployment name.
Create a CNAME record in your organization's public DNS. The CMG service in Azure and all clients that use it need to resolve the service name. For example:
Contoso names their CMG GraniteFalls.
The deployment name in Azure is
GraniteFalls.WestUS.CloudApp.Azure.Com.In Contoso's public DNS
contoso.comnamespace, the DNS administrator creates a new CNAME record for the service nameGraniteFalls.contoso.comto the Azure deployment name,GraniteFalls.WestUS.CloudApp.Azure.Com.
When you create the CMG, while the certificate has GraniteFalls.contoso.com as the CN, Configuration Manager only extracts the service name prefix, for example: GraniteFalls. It appends this prefix to the Azure service domain (cloudapp.azure.com) with the region (westus) to create the deployment name. For example, GraniteFalls.WestUS.CloudApp.Azure.Com. The CNAME alias in the DNS namespace for your domain (contoso.com) maps together these two FQDNs.
The Configuration Manager client policy includes the CMG service name, GraniteFalls.contoso.com. The client resolves the service name via the CNAME alias to the deployment name, GraniteFalls.WestUS.CloudApp.Azure.Com. It then can resolve the IP address of the deployment name to communicate with the service in Azure.
Next steps
Continue your CMG setup by configuring Azure Active Directory (Azure AD):