SCCM 2012: Part II – Certificate Configuration

In Part I, we covered the configuration of Active Directory and the SCCM Management Point Server as well as the SQL Server. In Part II, we will be covering the Certificate Configuration needed for System Center Configuration Manager 2012. This includes creating templates, Group Policies, and Certificate registration on the Management Point (MP).

As I mentioned in my initial post, I will be using HTTPS communication with certificates. If you are not going to utilize certificates, and will only use HTTP communication you will not need this information and can skip on over to Part III Installation. Everyone else, let’s keep going!

In order to use certificates, you’ll need a commonly trusted Certificate Authority in your domain. In my environment I have opted to setup an Offline Root Certificate Authority, as well as a Subordinate Intermediate CA that will distribute certificates to all of the clients on my domain via a Group Policy Object (GPO) at the root of my AD infrastructure. All of the servers trust the Root CA and the Intermediate CA via GPO.

If you need instructions on setting up your own, I highly recommend this article by Mark Kean. I used it to setup my infrastructure:

http://marckean.wordpress.com/2010/07/28/build-an-offline-root-ca-with-a-subordinate-ca/

Now we’ll talk about the templates we need to create. In a System Center environment, there are three types certificate templates that we will need:

Client Certificate
Web Server Certificate
Site Server Signing Certificate

Client Certificate – This is the certificate that will each server in the domain will register for and receive per GPO. Used to authenticate and exchange information the Management Point (MP). Also used by the MP to monitor the remote server’s status.

Web Server Certificate – This certificate will be installed on any site servers with the Management Point and/or Distribution Point Roles. It is used to encrypt data and authenticate clients. Configure this in IIS.

Site Server Signing Certificate – This is used to sign site policies. Configure this within SCCM.

Now that we know what templates we will need, here is what we’ll need to implement on our CA, clients, and SCCM host.

– Create the three new certificate templates on our issuing Intermediate CA
– Create an Auto-Enroll GPO for the Client Certificate template
– Register for Web Server and Site Server Signing Certificates on the MP

After these steps, we can move on to the Installation of SCCM 2012 with our PKI, templates, GPO’s and clients ready to roll.

Create these three new certificate templates on our issuing Intermediate CA

Client Certificate Template Creation

RDP to your Intermediate CA and launch Certification Authority (Start > Administrative Tools > Certification Authority). Expand out your CA tree and right-click Certificate Templates and click Manage.

Now right-click on Workstation Authentication and click Duplicate Template.

Make sure to use Server 2003, not 2008

In the Properties, name this ConfigMgr Client Certificate. Click on the Security tab, select the Domain Computers group and add the permissions of Read and Autoenroll, do not clear Enroll. Then click OK.


When you refresh your console, you will see that the new template is there.

Web Server Certificate Template

Still in Certification Authority, in the Certificate Templates list we’ll setup the next template.

Right-click on the Web Server template, and click Duplicate. On the General tab, change the Template Display Name to ConfigMgr Web Server Certificate.

Next, click the Subject Name tab, select the Supply in the request radio button.

Next click the Security tab, and add your SCCM server to the permissions list and add the Enroll permission. You should also remove the Enroll permission from Domain and Enterprise Admins. Then click OK.

If you were running a SCCM configuration with multiple sites and servers, it is recommended you create a SCCM Servers Active Directory Security Group. In our case, I am only going to have a single server so it makes sense to just assign the permissions to this single server than to create a group for one server.

Site Server Signing Certificate Template

Now we’ll create the final template, for the Site Server. There are a few extra steps here, so following these exact instructions is paramount.

Right-click on the Workstation Authentication template, click Duplicate. Rename the template ConfigMgr Client Distribution Point Certificate.

On the Request Handling tab select Allow private key to be exported.

On the Security tab add your SCCM server, and give the server Enroll permission. Click Apply, then OK.

Now if you look at the Certificate Templates Console you will see our three new templates.

Now we need to enable the templates for distribution. Close the Certificate Templates Console window and then right-click on the Certificate Templates folder in the certserv console and select New > Certificate to Issue

Select all three of the ConfigMgr templates we created then click OK.

They will then show up in the Certificate Templates listing. Once you verify that, close Certification Authority console.


Create an Auto-Enroll GPO for the Client Certificate template

Now we’ll need to create a Group Policy at the root of our domain so that every client will Autoenroll for the ConfigMgr Client Certificate.

Launch Group Policy Management on your Domain (Start > Administrative Tools > Group Policy Management). Right-click your domain and select “Create a GPO in this domain, and Link it here…” as we are going to create a new GPO and link it at the root. Name your GPO I named my policy “AutoEnroll ConfigMgr Client Cert“, then click OK.

Note – You can add these settings to your default domain policy if you would like, its up to you. I prefer separate policies for applications purely for aesthetic and organizational reasons.

Edit your newly created GPO. Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies. Right-click on Certificate Services Client – Auto-Enrollment and then click Properties. Change the Configuration Model: to Enabled, and check the Update certificates that use certificate templates. Then click Apply and OK.

If you recall, we configured the ConfigMgr Client Certificate Template earlier and we set the permissions for Domain Computers to Read, Enroll, and Auto Enroll. Now when you run a “gpupdate /force” or in 15 minutes when GP is re-applied, any machine on the domain communicating with the DC will request and receive a client certificate automatically that will be place in the Local Computer Personal Certificate Store.

 

Register for Web Server and Site Server Signing Certificates on the MP

Now we need to setup the appropriate certificates on our System Center Configuration Manager Management Point. The first thing you will need to do is reboot your SCCM server. This is so that it will pickup the permissions change that will allow it to register for the Web Server Certificate.

Once the reboot completes, RDP to your SCCM server click Start > Run.  Type mmc.exe and click OK.  Click File > Add/Remove Snap-In… Choose Certificates and click Add.  Choose Computer Account, click Next.  Choose Local Computer, click Finish.  Click OK, and then expand the Certificates tree to the Personal > Certificates folder.

You may notice that your SCCM server has Autoenrolled for and received its Client Authentication Certificate we just setup.

Right-click in a blank space and click All Tasks > Request New Certificate… 

You are presented with the Certificate Enrollment wizard.Click Next.

Leave the default here, and click Next.

At the Request Certificates part of the wizardcheck both the ConfigMgr Client Distribution Point Certificate and ConfigMgr Web Server Certificate. You will notice that under the Web cert, a prompt that says, ! More information is required to enroll for this certificate. Click here to configure settings. Click the link and setup your Certificate Properties.

We will be leaving the Subject name section blank, instead we will be configuring an Alternative name, by selecting DNS from the drop down menu, and then typing in the FQDN of our SCCM server, then click Add and then OK.

Then the warning field will disappear from the Request Certificates screen of the Certificate Enrollment wizard so we can press on. Click Enroll and then finish once the enrollment is successful.

Now we need to export the Client Distribution Point Certificate while we are in the Certificates Management console. Right-click the certificate and select All Tasks > Export.

Click Next at the Welcome Screen of the export wizard. Then on the Export Private Key  page change this to YES then click Next.

Next, select Personal Information Exchange – PKCS #12 (.PFX) and then click Next.

Set a password at the next page of the wizard. Make sure you don’t forget what you set, as we’ll need this later. Save the file to your desktop, I saved mine as SCCM DP Cert and finish the wizard. The close the MMC session. No need to save this console unless you want to have a shortcut to managing your Local Computer Certificates. Regardless of your choice here, your actions to this point will not be reverted.

The reason for this export is that we will later be importing this certificate into SCCM and we need to do so in pkcs12 format, with a password protected private key included.

The final piece of the Certificate puzzle is for us to assign the Web Server Certificate to the Default Website in IIS. Launch IIS Manager (Start > Administrative Tools > Internet Information Services (IIS) Manager). Navigate to the Default Website, right-click it and select Edit Bindings. Select the https binding and click Edit. The select the ConfigMgr Web Server Certificate and then click OK. I highly recommend viewing your certificate afterwards, checking the Details tab, to ensure you selected the correct one.

Note the WSUS Administration website is setup as a secondary site here. As a reminder, WSUS should be installed at this point and running on its own website. You will have issues if WSUS is running on your default site at this point. I highly recommend immediate remediation to your installation if this is the case.

Congratulations! Give yourself a pat on the back, you’ve now setup all the necessary components to run System Center Configuration Manager 2012 with secure communications leveraging your home-grown PKI. Setting up the infrastructure and following all of these steps is a difficult task to be sure, but hopefully this guide will make this a little bit easier for you to implement.

The purpose of Part II was to configure PKI settings specific to Configuration Manager 2012 in the most efficient means possible. To view Microsoft’s official TechNet article on PKI for Configuration Manager see this page:

http://technet.microsoft.com/en-us/library/gg682023.aspx

 

  • Pingback: System Center Configuration Manager and Endpoint Protection Manager 2012 | Gabe's Blog()

  • CHRIS

    THIS IS A GREAT WEB SITE….THNAK YOU VERY MUCH
    CHEERS

  • Guest

    So why was the DP cert exported? Is that what is supposed to be placed within the DP properties on the General tab?

  • Kyle

    So why was the DP cert exported? Is that what is supposed to be placed within the DP properties on the General tab??

    • Gabe

      Exactly right Kyle. This is covered in Part 5. If you have any other questions let me know, happy to help.

      Thanks for reading.


      Gabe

  • Ann Lee

    I have multiple DPs setup in my environment. Do I need to export client certificate from each DP? Or do they share the same client certificate?

  • Cliff Embry

    you don’t need a site signing certificate in 2012.

  • Martin Otter

    Nice article! Are wildcard certificates supported for webserver or client DP certificate

  • Tech CF

    Thanks! This helped me renew an expired cert this evening!

  • Suhel

    I will be performing side by side migration from SCCM 2012 to SCCM 1606 ,
    Question – do I need new certificates or can I use the existing certificates for the new SCCM environment.