Getting Started
  • 📌Patch My PC Docs
  • 🔧Installation Guides
    • Advanced Insights & Patch Insights
      • Release Notes (Advanced Insights)
        • Release Notes (Inventory Extension)
      • Requirements
        • Certificate Requirements
        • Software Requirements
        • Network Requirements
      • Download and Install
        • SSL Certificate Configuration
        • Advanced Insights SQLite Database
        • IIS Configuration selection
        • Install Summary
        • Completion
      • Upgrading Advanced Insights
        • Upgrading to Advanced Insights 2.1 and later from 1.0.x and 2.0.x versions
      • Modify Advanced Insights
        • Modify SSL Certificate
        • Modify Network Port
        • Password reset
        • Modify IIS App Pool Identity
      • Uninstalling Advanced Insights
      • Backup and Restore of your Advanced Insights Configuration
      • SQL Permissions
      • Configuration Manager Permissions
      • First Use Experience
      • Proxy Support
      • Advanced Insights Inventory Extensions
        • Description
        • Custom Client Actions
        • WMI Class Definitions
      • External Services Dell Warranty API
      • External Services HP Warranty (Workforce Experience)
      • External Services Lenovo Warranty API
      • Microsoft Updates Inventory
      • Active Directory Integration & RBAC
      • Active Directory Group to Role Assignment
      • Azure AD (Entra ID) Authentication
      • Requirements for Remote Control
      • Launching Remote Control of a Client
      • Configuration Manager Console Extension
      • Custom Dashboards
        • Creating your first Custom Dashboard
        • Editing a Custom Dashboard
        • Sharing a Custom Dashboard
      • Dashboard Guides
        • Home Page
        • Resources
          • Collections
          • Devices
          • Users
        • Hardware
          • Displays
          • Batteries
          • Storage
          • Graphics Adapters
          • Wireless Adapters
        • Software
          • Applications
          • Client Inventory
          • Software Usage
          • Microsoft 365 Apps
          • ODBC Connections
          • Browser Extensions
        • Operating Systems
          • Dashboard
          • Windows 11 Readiness
          • Local Administrators
          • OS Uptime
          • User Profiles
        • Software Updates
          • Dashboard
          • Updates (Advanced & Patch Insights)
          • Update Groups
          • Update Deployments
          • Windows OS
          • Computer Status
          • Microsoft Updates
          • Update Trend
        • Security and Compliance
          • BitLocker
      • Advanced Insights Log Collector
      • IIS Application Pool Identity
      • Two Factor Auth
      • Telemetry Data collected by Advanced Insights
    • Configuration Manager
      • Requirements
      • Download and Install
      • License Key
      • Certificate Configuration
      • Updates (On-premises Publisher)
      • ConfigMgr Apps
      • Sync Schedule
      • Alerts
      • Advanced
    • Intune
      • Requirements
      • Download and Install
      • License Key
      • Azure App Registration
      • Intune Apps
      • Intune Updates
      • Sync Schedule
      • Alerts
      • Advanced
    • WSUS Standalone
      • Requirements
      • Download and Install
      • License Key
      • Certificate Configuration
      • Enable Standalone WSUS Mode
      • Updates (On-premises Publisher)
      • Sync Schedule
      • Verify Third-Party Updates Appear in WSUS Console
      • Alerts
      • Advanced
    • On-Premises Publisher
      • Release Notes (Publisher)
        • Preview Releases (Publisher)
        • 1.x Releases (Publisher)
      • Reference (Publisher)
        • Telemetry Data collected by Patch My PC On-Premises Publisher
    • Patch My PC Cloud
      • Release Notes (Cloud)
      • Requirements (Cloud)
      • Onboard to Patch My PC Cloud
      • Deployments
        • Deployment Overview
        • Deploy an App
          • General Information (Deployments)
          • Configurations (Deployments)
            • Scripts (Deployments)
              • Pre-Install Script
              • Post-Install Script
              • Pre-Uninstall Script
              • Post-Uninstall Script
            • Install Parameters (Deployments)
            • Dependencies (Deployments)
            • Role Scope Tags (optional)
            • Extra Files (Deployments)
            • Categories (Deployments)
            • ESP Profiles (Deployments)
            • Retention Policy (Deployments)
            • Return Codes (Deployments)
          • Assignments (Deployments)
          • Summary (Deployments)
        • Deploy the same App with multiple configurations
        • Create a Deployment Without Assignments
        • Use a Template in Deployments
        • Update Rings
          • Update Rings Overview
          • How Update Rings Are Created
          • How the Sync Schedule Affects Update Rings
          • How Update Rings Handle New Versions
          • How Update Rings Affect Dependencies
          • Create Update Rings
          • Edit Update Rings
          • View Update Rings
          • Check if an Update Ring has been created
          • Update an Update Ring
          • Convert Existing Deployments to Use Update Rings
          • Delete Update Rings
        • Monitor a Deployment
        • Manage Updates (Cloud)
          • Pause Updates (Cloud)
          • Resume Updates (Cloud)
          • Sync Now
        • Manage Deployments
          • View a Deployment's Properties
          • Edit a Deployment
          • Recreate a Deployment
          • Sort Deployments
          • Delete a Deployment
      • Events (Cloud)
        • Events Overview
        • Search for an Event
        • Filter Events
        • Export Events
        • Sort Events
        • Find more information about an Event
        • Change the number of Events per page
        • Navigate between pages of Events
        • Events Reference
          • General Events Reference
          • Security Events Reference
      • Discovery
        • Discovery Overview
        • Deploy an Unmanaged app
        • Manage Managed Apps
        • Refresh Discovery Data
        • Discovery Managed Apps Reference
      • Administration (Cloud)
        • Manage your Company
          • Enable Preview Features
          • Grant Patch My PC Support access to your portal
          • Delete your Company
          • Recover Your Company
          • Company Reference
        • Manage Users
          • Add a User
          • Using Entra ID Security Groups
            • Add an Entra ID Group
            • View an Entra ID Group's Membership
            • Modify an Entra ID Group
            • Remove an Entra ID Group
          • Modify a User
          • Delete a User
          • Manage Access Requests
            • Approve an Access Request
            • Reject an Access Request
          • Manage Invitations
            • Accept an Invitation
            • Copy an Invitation’s link
            • Resend an Invitation
            • Delete an Invitation
          • User Roles Reference
        • Manage your Environments
          • Manage Intune tenants
          • Manage your License
          • Rename your Environment
        • Manage Connections
          • Add a Connection
          • Verify the Publisher connection
          • Delete a Connection
        • Manage Branding
          • Add Branding
          • Modify Branding
          • Recreate Branding
          • Branding V2
            • Add Branding V2
            • Modify/Recreate Branding V2
            • Delete Branding V2
            • Managing Localizations V2
            • Default Language Notifications
        • Manage Notifications
          • Add a Notification
          • Create a Webhook notification
          • Create a Microsoft Teams Webhook Notification
          • Create a Slack Webhook Notification
          • Create an Email notification
          • Modify a Notification
          • Delete a Notification
          • Notifications Reference
            • Test a Microsoft Teams Webhook Notification
            • Test a Slack Webhook Notification
            • Test an Email Notification
          • Webhooks Reference
            • Create a Microsoft Teams Webhook
            • Create a Slack Webhook
        • Manage Naming Conventions
          • Configure Naming Conventions
          • Modify Naming Conventions
        • Manage the Sync Schedule
        • Manage Deployment Templates
          • Add a Template
          • Edit a Template
          • Configure a Default Template
          • Delete a Template
        • Delete the Patch My PC Cloud Enterprise Application
      • Binary Free Apps
        • Binary Free Apps Overview
        • Deploy a Binary Free App
        • Manage New Version Notifications for a Binary Free App
        • Update a Binary Free App
      • Custom Apps
        • Custom Apps Overview
        • Custom Apps Requirements
        • Onboard to Custom Apps
        • Create a Custom App
          • Upload the Primary Installer
          • Extra Folders or Files (Custom Apps)
          • General Information (Custom Apps)
          • Configuration (Custom Apps)
          • Detection Rules (Custom Apps)
          • Summary (Custom Apps)
        • Publish a Custom App
        • Modify a Custom App
        • Update a Custom App
        • Delete a Custom App
        • Custom Apps Reference
          • Find properties for EXE-Based Installers
          • Uninstall a Custom App
      • Intune Apps
        • Intune Apps Overview
        • Intune Apps Requirements
        • Onboard to Intune Apps
          • Onboard to Intune Apps for Custom Apps users
        • Feature Comparison with Publisher
      • macOS Support
        • Filter by OS
        • Deploy a macOS app
        • Supported Assignment Types & Settings for macOS Deployments
      • Managed Service Provider
        • Managed Service Provider Overview
        • Managed Service Provider Requirements
        • License the Managed Service Provider Feature
        • MSP App Sets
          • Create an App Set
          • Edit an App Set
          • Delete an App Set
        • MSP Custom Apps
          • Create an MSP Custom App
          • View all MSP Custom Apps
          • Deploy an MSP Custom App
          • Edit an MSP Custom App
          • Update an MSP Custom App
          • Delete an MSP Custom App
        • Managed Service Provider Administration
          • Manage MSP Companies
            • Add a Company to Manage (Cloud MSP)
            • Choose a Company to Manage (Cloud MSP)
            • Remove a Company from being Managed (Cloud MSP)
          • Manage MSP Users
          • Manage MSP Deployments
          • Manage MSP Events
          • Manage MSP Notifications
        • Non-Replicating MSP Settings
      • Troubleshooting (Cloud)
        • Onboarding
          • “Need admin approval” message when onboarding
          • “Permissions requested” dialog box not shown during Onboarding
        • App Catalog
          • Why is the "Delete" option greyed out for an app?
        • Binary Free Apps
          • “Unable to verify the file you are trying to upload”
        • Branding
          • Why don’t I see the “Branding” node in the portal?
        • Company
          • "Error - Claim Ownership Failed"
          • "Tenant recovery has been disabled for this account"
          • Why can’t I access my Company?
          • Why can’t I Delete my Company?
        • Custom Apps
          • General Custom Apps Troubleshooting
        • Dependencies
          • Why is an app not shown in the “App Dependencies” dropdown?
        • Deployments
          • “500 Internal Server Error” when adding an assignment - why?
          • “A deployment with the same name <deployment_name> already exists”
          • Browser Crashes when uploading a large number of files using the Patch My PC Cloud portal
          • “Group not found” shown for an Assignment of a successful deployment
          • "These settings are locked after deployment to prevent installation issues"
          • Troubleshooting an Intune Apps Deployment
          • "TypeError: Failed to fetch" error when trying to upload a Pre or Post Script
          • Why do I see a yellow exclamation mark ("!") beside a deployment?
          • Why is the “Deploy” button greyed out?
          • Why is “Edit” Unavailable for a Deployment?
        • Discovery
          • Why don’t I see the “Discovery” node in the portal?
          • Why is the “Edit” button disabled beside a Managed App?
        • Environments
          • “Intune connection with the same Id found in another environment”
          • “Need admin approval” message when connecting to Intune
          • Why don't I see the ellipsis to edit my Environment or License?
        • Events
          • Why don’t I see the “Events” node in the portal?
        • Intune
          • What happens if the Patch My PC Cloud Enterprise App is deleted?
          • Troubleshooting HTTP Status Codes
        • Licensing
          • "Your license doesn't match the specified SKU"
          • “Your trial has expired”
          • “Your trial license expires in xx days”
        • Managed Service Provider
          • “Customer has active connections. Please disconnect them first in order to delete the company”
          • “Error - Intune connection with the same Id found in another environment!”
          • "Unable to disconnect this customer as they do not have a user with the Full Admin..."
        • Notifications
          • Why don’t I see the “Notifications” node in the portal?
        • Sign in
          • “The service is currently unavailable in the <region_code> region”
        • Update Rings
          • "Error - Editing is not allowed until all rings are created after the configured delay."
        • Users
          • “Unable to change the role of this group as it was not found in Entra ID” error
          • Why don’t I see the “Users” node in the portal?
          • Why is the “Add Group” button unavailable?
          • Why is the “Add Group” button unavailable on the “Available Groups” page?
          • “You currently have only one user with Access Management privileges”
      • Reference (Cloud)
        • About the Patch My PC Code-Signing Certificate
          • Using a Custom Configuration Policy
          • Using a script
        • App Catalog Icon Reference
        • Email Reference
          • Example Access Request Email
          • Example Access Approved Email
          • Example Access Rejected Email
          • Example Account Recovery Email
          • Example Binary Free App Update Email
          • Example Binary Free App Successfully Updated Email
          • Example Invitation Email
          • Example Updates Report Email
        • Entra ID Reference
          • Create an App Registration in Entra ID
          • Delete an App Registration in Entra ID
        • Intune Reference
          • Check App Categories
          • Check App Version Retention
          • Check Detection Rules
          • Check ESP Profiles
          • Check Return Codes
          • Check Scope Tag Assignments
        • Permissions Reference
          • Permissions required for Patch My PC Cloud
          • Permissions required for Intune Apps
        • Telemetry Data collected by Patch My PC Cloud
        • Unsupported File Names and Extensions
      • Product Limits (Cloud)
      • Glossary (Cloud)
      • Contacting Support
    • Product Reference
      • Language Support in Publisher and PMPC Cloud
  • 💁‍♂️ Get Help
    • Open a Support Case
    • Live Demo, Setup & Review Calls
      • Book a Live Demo
      • Book a Guided Setup Call
      • Book an Environment Review Call
    • Log Reference Guide
    • MEM Patching Optimizer
      • Requirements
      • Download and Install
      • Running Tests
      • Updates (MEM Patching Optimizer)
    • Return on Investment Tool
  • 🔁Release History
    • Advanced Insights Releases
      • Inventory Extension Releases
    • Patch My PC Cloud Releases
    • Publisher Releases
      • Publisher 1.x Releases
      • Preview Releases
    • ROI Tool Releases
  • 🤝Resources
    • Patch My PC Website
    • Download Installer
    • FAQ
    • Homepage
    • Roadmap
    • UserVoice
    • About Us
Powered by GitBook

Links

  • Feedback or comments?
  • Main Website

© Patch My PC 2011 - 2025

On this page

Was this helpful?

Export as PDF
  1. Installation Guides
  2. Advanced Insights & Patch Insights
  3. Requirements

Certificate Requirements

Applies to: Advanced and Patch Insights

Advanced Insights needs a valid SSL certificate to install and function. (the installer will verify the certificate is valid).

Supported Certificate types:

  • Server host (FQDN) standard certificate.

  • Wildcard certificate.

  • Custom CNAME / Alias certificate.

  • Self-signed certificate.

The certificate must meet the following minimum requirements:

  • Support HTTPS / SSL.

  • Has private key.

  • Valid in-date (not expired).

  • Enhanced key usage includes "Server Authentication".

  • Only modern signature types are supported (e.g. SHA256). Legacy / weak signature algorithms, for example; 'SHA1', 'MD2', 'MD4', 'MD5 are not supported.

  • Subject Alternative Name (SAN). The certificate SAN requirements depend on the chosen deployment configuration for the Advanced Insights URL.

    • Scenario 1 - Server Host name certificate.

      • For Advanced Insights URL deployment using server host name (e.g. https://server01.contoso.local) the certificate SAN must contain an entry which matches the FQDN of the host server where Advanced Insights is installed.

    • Scenario 2 - Wildcard certificate.

      • For Advanced Insights URL deployment using a wildcard certificate, an entry must be included in the certificate SAN that represents the wildcard certificate. e.g. ' *contoso.local'.

    • Scenario 3 - CNAME / Alias certificate.

      • For Advanced Insights URL deployment using a CNAME / Alias, (e.g. https://AdvancedInsights.contoso.local) the certificate SAN must contain an entry which represents the CNAME / Alias. e.g. 'AdvancedInsights.contoso.local'.

When using a CNAME / Alias or Wilcard certificate for custom Advanced Insights deployment URL, ensure that DNS has been updated to include an entry which represents the chosen CNAME / Alias.

Example:

Certificate SAN values can be also verified within the certificate properties.

Examples:

On the Windows Server OS which will host Advanced Insights, the following PowerShell script can be executed to list supported certificates.

# Advanced Insights valid certificate check.
Param()

$CertsToExclude = @("ConfigMgr SQL Server Identification Certificate","WMSVC-SHA2")

# Get the FQDN of the machine
$machineFQDN = [System.Net.Dns]::GetHostEntry($env:COMPUTERNAME).HostName

# Certificate filtering

# Algorithms to exclude
$Weakhash = @('SHA1', 'SHA1RSA', 'MD2', 'MD4', 'MD5')

$certs = Get-ChildItem -Path Cert:\LocalMachine\My |
    Where-Object {
        ($_.SignatureAlgorithm.FriendlyName -notin $Weakhash) -and
        ($_.EnhancedKeyUsageList | Where-Object { $_.ObjectId -eq "1.3.6.1.5.5.7.3.1"} ) -and
        ($_.NotAfter -gt (Get-Date)) -and
        ($_.HasPrivateKey -eq $true) -and
        ($_.FriendlyName -notin $CertsToExclude) -and
        (
            ($_.Extensions | Where-Object { $_.Oid.Value -eq "2.5.29.17" }) -and
            ($sanExtension = $_.Extensions | Where-Object { $_.Oid.Value -eq "2.5.29.17" }) -and
            ($sanNames = $sanExtension.Format(0) -split ', ' | ForEach-Object { $_.Split('=')[1].Trim() })
            
        ) -and
        (Test-Certificate -Cert $_ -Policy SSL)
    } -ErrorAction SilentlyContinue

#$certs.Extensions

Write-Host "############### The following certificates are suitable for Advanced Insights: ###############"`n
foreach ($cert in $certs) {

$SelfSigned = $false    
if ($cert.Issuer -eq $cert.Subject) {
$SelfSigned = $true
}

$sanExtension = $cert.Extensions | Where-Object { $_.Oid.Value -eq "2.5.29.17" }

$sanNames = $sanExtension.Format(0) -split ', ' | ForEach-Object { $_.Split('=')[1].Trim() }

Write-Host "Certificate Friendly Name: $($cert.FriendlyName)
Certificate Thumbprint: $($cert.Thumbprint)
Enhanced Key Usage: $($cert.EnhancedKeyUsageList)
Certitifcate validity: $($cert.NotAfter)
Private Key present: $($cert.HasPrivateKey)
Subject Alternative Name (SAN): $($sanNames)
Signature Algorithm: $($cert.SignatureAlgorithm.FriendlyName)
Self signed Certificate: $($SelfSigned)" `n
}

# List certificates not captured in $certs
$allCerts = Get-ChildItem -Path Cert:\LocalMachine\My
$uncapturedCerts = $allCerts | Where-Object { $_ -notin $certs }

# Output the uncaptured certificates and their unmatched properties
if ($uncapturedCerts.Count -gt 0) {
    Write-Host "############### The following certificate properties are checked: ###############`n
    1. Enhanced Key Usage
    2. Certitifcate validity
    3. Private Key present
    4. Certificate in exclude list
    5. Subject Alternative Name (SAN)
    6. 'Test-Certificate -Policy SSL' cmdlet is used to check certificate is valid for SSL and root cert can be validated
    7. Signature Algorithm = sha256RSA (Minimum)" `n

    Write-Host "############### The following certificates have one or more property values which are not suitable for Advanced Insights: ###############"`n -ForegroundColor Yellow
    foreach ($cert in $uncapturedCerts) {
        Write-Host "Certificate Friendly Name: $($cert.FriendlyName)
        Certificate Thumbprint: $($cert.Thumbprint)"

        Write-Host "Unsuitable Certificate Properties:"

        # Check Key Usage details
        $SANObjID = $cert.EnhancedKeyUsageList | Where-Object { $_.ObjectId -eq '1.3.6.1.5.5.7.3.1'}        
        if (!$SANObjID) {
            Write-Host "1. Enhanced Key Usage (requires 'Server Authentication') value found: $($cert.EnhancedKeyUsageList)"
        }
        if ($cert.NotAfter -le (Get-Date)) {
            Write-Host "2. A valid, in date certificate is required: Expiration Date found: $($cert.NotAfter)"
        }
        if ($cert.HasPrivateKey -ne $true) {
            Write-Host "3. Private Key present?: Not Found"
        }
        if ($cert.FriendlyName -in $CertsToExclude) {
            Write-Host "4. Certificate in exclude list: Friendly Name: $($cert.FriendlyName)"
        }

        # Check SAN extension
        $sanExtension = $cert.Extensions | Where-Object { $_.Oid.Value -eq "2.5.29.17" }
        if (!$sanExtension) {
            Write-Host "5. Subject Alternative Name (SAN) requires at least one entry matches the server FQDN or is a wildcard which matches the server domain name e.g. '*.internaldomain.local. SAN value(s):: Not Found"
        } else
        
        {
            $sanNames = $sanExtension.Format(0) -split ', ' | ForEach-Object { $_.Split('=')[1].Trim() }
            if ([string]::IsNullOrEmpty($sanNames)) {
                Write-Host "5 Subject Alternative Name (SAN) requires at least one entry matches the server FQDN or is a wildcard which matches the server domain name e.g. '*.internaldomain.local. SAN value(s): $($sanNames -join ', ')"
                }
        }
        

        if (!(Test-Certificate -Cert $cert -Policy SSL)) {
            Write-Host "6. Test-Certificate SSL Policy: Failed"
        }
        if ($cert.SignatureAlgorithm.FriendlyName -in $Weakhash) {
            Write-Host "7. Certificate signature algorithm requires a minimum of SHA256 RSA. Legacy / weak algorithms e.g. 'SHA1', 'MD2', 'MD4', 'MD5 are not supported. Signature Algorithm found: $($cert.SignatureAlgorithm.FriendlyName)"`n
        }
        Write-Host
    } Write-Host "############### Certificate Check End ###############"
} else {
    Write-Host "No uncaptured certificates found."
}

Example PowerShell outputs:

Self-signed certificate use.

When deploying Advanced Insights using a self-signed certificate, the installer will automatically create the certificate using the server host name value to create the Advanced Insights URL.

Example:

https://server01.contoso.local

PreviousRequirementsNextSoftware Requirements

Last updated 5 months ago

Was this helpful?

We don't recommend using a self-signed certificate long-term in production as it won't be trusted by other client browsers by default. You can replace a self-signed certificate or modify the certificate in use using the Add/Remove Programs "Change" option as detailed .

🔧
here
Server Host Certificate - Subject Alternative Name (SAN) properties.
CNAME - Alias Certificate - Subject Alternative Name (SAN) properties.
Wildcard Host Certificate - Subject Alternative Name (SAN) properties.
Valid Certificates
Unsupported Certificates