Introduction:
Cloud management gateway (CMG) helps you to manage the configuration manager clients on the internet without any additional on-premise infrastructure.
Due to COVID-19, most of the workforce is working from home (with/without VPN), and managing the endpoints using Cloud Management Gateway (CMG) is immense. Many organizations have already implemented the CMG to manage the windows devices that are connected outside the office network or connected to an office network using VPN.
If you are yet to implement the cloud management gateway service in your organization and need assistance, please check here.
Implementation of CMG involves server authentication certification (PKI or Public) and client authentication (optional).
The server authentication certification is required to build a secure channel with CMG cloud service and the CMG cloud service creates an HTTPS service to which internet-based clients connect.
The server authentication certificate can be either public key infrastructure (PKI) or public providers such as DigiCert or other global providers.
Microsoft strongly recommends public and globally trusted certificate provider but again, it depends on the organization to use PKI or public cert.
For more information about the Cloud Management Gateway choices, please refer Jason post here
In this blog post, we will see how to create a CMG server authentication certificate from DigiCert.
Following are the steps:
Check the DNS name in the Azure portal (cloud classic services)?
First, we will need to identify a DNS name availability in the Azure portal.
Log in to the Azure portal, click on all services, select cloud services (classic)
Click on Add
Choose the DNS name that you want to create and verify it must exist (green tick box). If you get a red color then it is already taken and you must choose another.
If it exists, make a note of it. In my case, cmcb.cloudapp.net exist. Do not create any, just verify if it exists or not.
Create a CNAME record in the public DNS?
Next, we will have to go to the public DNS that you manage and create a CNAME record.
In my case, I have public DNS that is Eskonr.com and will create a CNAME record for cmcb.eskonr.com for the real hostname cmcb.cloudapp.net
In your organization, you may have to reach out to the team that manages the public DNS and provide the following details.
CNAME record for cmcb.cloudapp.net with cmcb.eskonr.com
Make sure that, cmcb.eskonr.com is not in use in your public DNS and it must be unique.
Following is the CNAME record in the public DNS. You can leave the default values such as 600.
Request a public certificate from DigiCert for CMG server authentication?
Now we will request a server authentication certification from DigiCert using the common name (CN) of the CNAME alias.
As part of the cert creation, we will use DigiCert Certificate Utility for Windows
we need to download the DigiCert windows utility from https://www.digicert.com/util/
Once the tool is downloaded, launch the diticertutil.exe tool
Click on the SSL and click create CSR
Enter the common name. This will be the CNAME record that we created in our public DNS (cmcb.eskonr.com). CMG server authentication certificate supports wildcards such as *.eskonr.com.
Click on Generate
Now you will see a CSR code which you can copy it to a txt file
Click on close
Request your SSL certificate for CMG cloud service:
We will now login to the DigiCert portal and select the certificate category, upload this CSR code, and do the payment.
Login to https://www.digicert.com/
After you log in to the DigiCert portal, you will see a request a certificate, and click on it will display the category list.
Once you select the certificate, you will be prompted with certificate details.
Upload the CSR file and choose the validity period. Based on your selection, the cost will be shown in the transaction summary.
In the prove control over your domain, I selected email as it is easy to confirm through email with one click.
There is a list of pre-defined email addresses of your domain. so you order the certificate, you can edit the order and choose the email address that you want to send the confirmation email to prove the control over the domain.
Once you are done with the payment and all, click on Submit certificate request.
Once the order confirmation is done, you will see the order status as pending.
Before DigiCert can issue your certificate, you must prove your control over the domains listed on the certificate.
On the order section, you can customize additional emails, renewal notice, renewal messages for this order, etc.
Once the order is approved, you can log in to the DigiCert portal and download the certificate.
Following is the sample email that I received from DigiCert.
Please note that, when you to go the download section, there are many formats that you can choose.
In my case, I selected the following.
You can also choose separate primary and intermediate .crt files (zipped)
I tried with .cer and .crt, both have the same output for CMG cert (pfx format).
Once the certs are downloaded, extract it, you will see cert with a common name (cmcb.eskonr.com) ends with .cer
Now go the computer that you ran the DigiCert tool earlier to generate the CSR, launch the tool and sing-in, click on SSL and click on import
Based on the cert that you downloaded earlier (.cer or .crt), choose the file name contains a common name (in my case it is cmcb.eskonr.com)
Once it is done, the certificate will be visible in the SSL certificate list.
Export the SSL certificate (PFX format):
Click on the certificate that we imported and select export certificate
To protect the certificate, key in a strong password
Finally, you will be prompted to save the .pfx certificate.
We have now successfully created a server authentication certificate that can be used to create a CMG cloud service using a public cert.
To set up a cloud management gateway service, please refer to this guide.
I hope this has been informative for you.