We are going to deploy following Workstation Authentication certificate for Clients and Web Server certificate for site systems that run IIS and then configuring Configuration Manager to make client communication using HTTPS and configuring IIS to use Web Server Certificate.
Please refer the below link to know more details about PKI Requirements in Configuration Manager 2012.
1. Workstation Authentication:
This certificate will be used when client is communicating with site system servers that is configured to use HTTPS. The certificate will be available under Personal Store in the Computer certificate store.
2. Web Server :
Web server certificate is used to authenticate site system servers to the client and to encrypt all data transferred between the client and these servers by using Secure Sockets Layer (SSL).
Deploy Workstation Authentication Certificate
Login into Subordinate CA issuing server and open Certificate Authority using mmc console. Right click on the Certificate Template and click Manage to open Certificate Templates console.
Duplicate the Workstation Authentication Template.
Make sure the below entries are made in the Certificate Template.
In the Compatibility Tab,
Certificate Authority : Windows Server 2003
Certificate recipient : Windows XP/ Windows server 2003
In the General Tab, enter the template name as Configmgr Client Certificate
Make sure Read, Enrol & Autoenroll should be selected for domain computers.
Modified Configmgr Client Certificate template is displayed in the Template console and we need to enable this on Certificate Authority.
Select the Configmgr Client Certificate Template to enable and click ok
Configmgr Client Certificate Template has now been enabled and next we need to deploy this via GPO for all domain computers for auto enrollment.
Open the GPO management console using mmc and right click and create a GPO named as SCCM Certificates GPO policy.
Right click on click Edit
Expand Policies under Computer Configuration, and then navigate to Windows Settings / Security Settings / Public Key Policies
In the Enrollment Policy Configuration page, Enable Configuration model and select the check box for Renew expired certificates, update pending certificates, and remove revoked certificates, select Update certificates that use certificate templates, and then click OK.
GPO will be applied to all domain computers. Please reboot the computers and open the Local certificate Store using mmc on the domain computers. you can now see GPO has been applied and Client Authentication certificate listed under Personal -> Certificate.
below is the short summary of what we have done so far to deploy client authentication certificate.
- On the subordinate CA server, Created Duplicate template of Windows Authentication template and named as Configmgr Client Certificate and gave Autoenrollment permission to Domain Computers in the Security Tab.
- Enabled Configmgr Client Certificate Template in Certificate Authority
- Configured GPO to deploy Certificates to all domain computers
- Since we have enabled Autoenrollment and added Domain computers to the ConfigMgr Client Certificate, it will fetch a certificate from Subordinate CA server
Deploy Web server Certificate
Login into Subordinate Server and open Certificate Authority console.
Right click on Certificate Template -> Manage and open Certificate Templates Console.
Select Web Server Template and right click and Duplicate Web Server Template
On the General Tab, Change name to ConfigMgr Web Server Certificate
On the Compatibility Tab, Make sure Windows Server 2003 and Windows XP/ Server 2003 selected.
Remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.
ConfigMgr Web Server Certificate Created and we need to enable this.
Right click on Certificate Templates and choose the ConfigMgr Web Server Certificate and click ok.
ConfigMgr Web Server Certificate Template is now enabled on the Subordinate CA Server
On the ConfigMgr server, Open local Certificate Store and right click on the Personal -> All Tasks -> Request New Certificate
In the Subject Tab, enter ConfigMgr server name and click Add under Alternative name
Configmgr Web Server Certificate enrollment is completed on the Configmgr server that runs IIS.
Now Open the Local Certificate Store (mmc-> Add or Remove Snap in-> Certificates) on the ConfigMgr server and expand to Personal -> Certificates to verify Web Server Certificate.
Open IIS console, Expand to Site. Right click on Default Web site and select Edit Bindings
Short Summary of Deploying Web Server Certificate,
- On the subordinate CA server, Created Duplicate template of Web server template and named as Configmgr Web Server Certificate and removed Enroll permission to Domain Admins and Enterprise Admins and added Enroll Permission to ConfigMgr server.
- Enabled Configmgr Web Server Certificate Template in Certificate Authority
- Enrolled Configmgr Web Server Certificate on the ConfigMgr server
- Configured IIS to use Configmgr Web Server Certificate for https communication
In the Configuration Manager Server, Go to Administration –> Sites –> Right click and choose properties, go to client computer communication –> Choose use HTTPS and import the Root CA.crt (that was created earlier) under Trusted Root Certification Authorities.
Next, install SCCM client agent on the computers and it will use the client authentication certificate in the local personal store to communicate with the site server. Port would be used for communication is 443
After the installation ,you can verify PKI certificate enabled(under General tab) in the Configuration Agent properties on the client.