More criteria for client certificate selection
Currently the selection criteria when more than one certificate is available are limited to the options “Client authentication capability”, “Certificate Subject contains string”, “Certificate Subject or SAN includes attribute”. This really limits the usability of the feature.
It would be great if there are additional selection criteria like “Issuer” or “Certificate Template”.
Joel R commented
Also struggling with this issue and engaged Microsoft Support. I agree that being able to specify either the template name, or a unique Application Policy Identifier OID that's specific to SCCM would solve our issues.
We are struggling with this as well. I currently have a ticket open with Microsoft because the selection criteria isn't working. We need better options than just the subject.
Frank Wijten commented
I think it would be nice to use the computer variable to select a certificate (like %computername%.domain.com) This would help me a lot.
In my environment every server has automatically a certificate assigned based on its computer-name. So if I can put a variable in the selection criteria 'Certificate Subject contains string' this would solve many problems.
Emmanuel R commented
This proposed feature, specifically selection based on "Certificate Template", would really help in situations where the system has multiple certificates with client authentication installed from the same issuer.
We are encountering that problem on a consistent basis especially on cluster nodes where all those nodes have the same certificate installed, the CM client ends up choosing the wrong certificate on all those nodes, causing those clients to appear as duplicates of each other or only one node showing up in the console.
Selection based on certificate template would solve this problem by naming, for example, the template as ConfigMgr Client Certificate Template and configuring the client to just search for certificates based on that.
FULLY agree with this request.. the current selection criteria is really limited, and we have major issues with server certficates that also contain client authentication, and that have generic names in the SAN like Exchange and Lync.
I'd like to add to the request:
selection criteria: Application Policy.
So that we can create our own OID, add that OID to the requested Certificate Template, thus make sure that only certificate with the "SCCM OID" purpose are selected !
AdminAdam Meltzer (ConfigMgr Product Team) (Software Engineer, Microsoft Endpoint Configuration Manager) commented
While there's no way to select certificate template today, you can restrict based by issuer by selecting one or more root CAs in the administrator console.