Automating ConfigMgr Distribution Point Client Authentication Certificate Rotation

So, you’ve got your ConfigMgr site using HTTPS-only now (check out Migrating ConfigMgr to HTTPS-Only if you don’t!). All of your site system servers that run IIS are (hopefully) using certificate auto-enrollment and auto-renewal policies to update their server authentication certificates, so you never need to touch them again. But what about that one weird client authentication certificate you configure under distribution point properties? The one you need to save to a PFX and import back in?

PowerShell to the rescue! Here’s a short script that can be used to request a new certificate, using a subject name generated based on the current date and time, with a throwaway password that isn’t saved anywhere (nor is the certificate itself). Then, it loops through all of your distribution points and updates the client authentication certificate in use.

Source: https://github.com/ajf8729/Toolbox/blob/main/ConfigMgr/Update-DPClientCertificate.ps1

Let’s walk through the code…

The script requires two parameters: CAName, which is the FQDN of your issuing certificate authority, and TemplateName, which is the name of certificate template configured for use (not the display name, which may have spaces, the actual name, with all spaces removed).

Lines 10-12 import the ConfigurationManager module, find the site code, and change to the site PSDrive.

Lines 15-20 generate a subject name for you certificate request, based on the current date and time. The name really doesn’t matter, this just help ensures uniqueness. Then it exports it as a PFX (with the private key) using a super secure randomly generated password of a GUID. I’m sure this could be done better, but this was good enough for temporary use.

Lines 23-26 gets a list of all distribution points in your CM site, loops through them, and configures the new certificate for use.

Lines 29-30 deletes the certificate from the personal store, as well as the exported PFX, as they are no longer needed.

Ideally, this script would be configured to run as a scheduled task on a server such as your primary site server, using a group-managed service account (gMSA). This gMSA should be granted enroll permissions to the certificate template, and the required permissions within ConfigMgr to update distribution point configuration (Infrastructure Administrator would most likely work, but is overkill. A custom security role should be created).

Since the certificate template now needs to be configured to allow a free-form subject name field, and we no longer want to require CA manager approval, the template should be locked down permissions-wise. Ideally, the only account that can enroll it is the gMSA configured to run the scheduled task (along with the default DA permissions).

Schedule this to run every six months, or whatever your desired rotation time is, and configure your template to issue certificates for that length of time plus one week, and you’re off and running!