How to request a cert from public provider for Cloud management gateway


Cloud management gateway (CMG) helps you to manage the configuration manager clients on the internet without any additional on-premise infrastructure.

Due to COVID-19, most of the workforce is working from home (with/without VPN), and managing the endpoints using Cloud Management Gateway (CMG) is immense. Many organizations have already implemented the CMG to manage the windows devices that are connected outside the office network or connected to an office network using VPN.

If you are yet to implement the cloud management gateway service in your organization and need assistance, please check here.

Implementation of CMG involves server authentication certification (PKI or Public) and client authentication (optional).

The server authentication certification is required to build a secure channel with CMG cloud service and the CMG cloud service creates an HTTPS service to which internet-based clients connect.

The server authentication certificate can be either public key infrastructure (PKI) or public providers such as DigiCert or other global providers.

Microsoft strongly recommends public and globally trusted certificate provider but again, it depends on the organization to use PKI or public cert.

For more information about the Cloud Management Gateway choices, please refer Jason post here

In this blog post, we will see how to create a CMG server authentication certificate from DigiCert.

Following are the steps:

Check the DNS name in the Azure portal (cloud classic services)?

First, we will need to identify a DNS name availability in the Azure portal.

Log in to the Azure portal, click on all services, select cloud services (classic)

Click on Add

Choose the DNS name that you want to create and verify it must exist (green tick box). If you get a red color then it is already taken and you must choose another.

If it exists, make a note of it. In my case, exist. Do not create any, just verify if it exists or not.

Create a CNAME record in the public DNS?

Next, we will have to go to the public DNS that you manage and create a CNAME record.

In my case, I have public DNS that is and will create a CNAME record for for the real hostname

In your organization, you may have to reach out to the team that manages the public DNS and provide the following details.

CNAME record for with

Make sure that, is not in use in your public DNS and it must be unique.

Following is the CNAME record in the public DNS. You can leave the default values such as 600.

Request a public certificate from DigiCert for CMG server authentication?

Now we will request a server authentication certification from DigiCert using the common name (CN) of the CNAME alias.

As part of the cert creation, we will use DigiCert Certificate Utility for Windows

we need to download the DigiCert windows utility from

Once the tool is downloaded, launch the diticertutil.exe tool

Click on the SSL and click create CSR

Enter the common name. This will be the CNAME record that we created in our public DNS ( CMG server authentication certificate supports wildcards such as *

Click on Generate

Now you will see a CSR code which you can copy it to a txt file

Click on close

Request your SSL certificate for CMG cloud service:

We will now login to the DigiCert portal and select the certificate category, upload this CSR code, and do the payment.

Login to

After you log in to the DigiCert portal, you will see a request a certificate, and click on it will display the category list.

Once you select the certificate, you will be prompted with certificate details.

Upload the CSR file and choose the validity period. Based on your selection, the cost will be shown in the transaction summary.

In the prove control over your domain, I selected email as it is easy to confirm through email with one click.

There is a list of pre-defined email addresses of your domain. so you order the certificate, you can edit the order and choose the email address that you want to send the confirmation email to prove the control over the domain.

Once you are done with the payment and all, click on Submit certificate request.                                                                                        

Once the order confirmation is done, you will see the order status as pending.

Before DigiCert can issue your certificate, you must prove your control over the domains listed on the certificate.

On the order section, you can customize additional emails, renewal notice, renewal messages for this order, etc.

Once the order is approved, you can log in to the DigiCert portal and download the certificate.

Following is the sample email that I received from DigiCert.

Please note that, when you to go the download section, there are many formats that you can choose.

In my case, I selected the following.

You can also choose separate primary and intermediate .crt files (zipped)

I tried with .cer and .crt, both have the same output for CMG cert (pfx format).

Once the certs are downloaded, extract it, you will see cert with a common name ( ends with .cer

Import SSL certificate:

Now go the computer that you ran the DigiCert tool earlier to generate the CSR, launch the tool and sing-in, click on SSL and click on import

Based on the cert that you downloaded earlier (.cer or .crt), choose the file name contains a common name (in my case it is

Once it is done, the certificate will be visible in the SSL certificate list.

Export the SSL certificate (PFX format):

Click on the certificate that we imported and select export certificate

To protect the certificate, key in a strong password

Finally, you will be prompted to save the .pfx certificate.

We have now successfully created a server authentication certificate that can be used to create a CMG cloud service using a public cert.

To set up a cloud management gateway service, please refer to this guide.

I hope this has been informative for you.

Post Comment