Latest Posts

Part 4 – Setup CA server and deploy PKI(Public Key Infrastructure) certificates for SCCM 2012

We are going to deploy following Workstation Authentication certificate for Clients and Web Server certificate for site systems that run IIS and then configuring Configuration Manager to make client communication using HTTPS and configuring IIS to use Web Server Certificate.

Please refer the below link to know more details about PKI Requirements in Configuration Manager 2012. 

1. Workstation Authentication:

This certificate will be used when client is communicating with site system servers that is configured to use HTTPS. The certificate will be available under Personal Store in the Computer certificate store.

2. Web Server :

Web server certificate is used to authenticate site system servers to the client and to encrypt all data transferred between the client and these servers by using Secure Sockets Layer (SSL).


Deploy Workstation Authentication Certificate

Login into Subordinate CA issuing server and open Certificate Authority using mmc console. Right click on the Certificate Template and click Manage to open Certificate Templates console.


Duplicate the Workstation Authentication Template.


Make sure the below entries are made in the Certificate Template.

In the  Compatibility Tab,

Certificate Authority : Windows Server 2003

Certificate recipient : Windows XP/ Windows server 2003


In the General Tab, enter the template name as Configmgr Client Certificate


Make sure Read, Enrol & Autoenroll should be selected for domain computers. 


Modified Configmgr Client Certificate template is displayed in the Template console and we need to enable this on Certificate Authority.


Right click on Certificate Templates -> New -> Certificate Template to issue

Select the Configmgr Client Certificate Template to enable and click ok


Configmgr Client Certificate Template has now been enabled and next we need to deploy this via GPO for all domain computers for auto enrollment.


Open the GPO management console using mmc and right click and create a GPO named as SCCM Certificates GPO policy.

11 12

Right click on click Edit


Expand Policies under Computer Configuration, and then navigate to Windows Settings / Security Settings / Public Key Policies


In the Enrollment Policy Configuration page, Enable  Configuration model and select the check box for Renew expired certificates, update pending certificates, and remove revoked certificates, select Update certificates that use certificate templates, and then click OK.


GPO will be applied to all domain computers. Please reboot the computers and open the Local certificate Store using mmc on the domain computers. you can now see GPO has been applied and Client Authentication certificate listed under Personal -> Certificate.


below is the short summary of what we have done so far to deploy client authentication certificate.

  • On the subordinate CA server, Created Duplicate template of Windows Authentication template and named as Configmgr Client Certificate and gave Autoenrollment permission to Domain Computers in the Security Tab.
  • Enabled Configmgr Client Certificate Template in Certificate Authority
  • Configured GPO to deploy Certificates to all domain computers
  • Since we have enabled Autoenrollment and added Domain computers to the ConfigMgr Client Certificate, it will fetch a certificate from Subordinate CA server


Deploy Web server Certificate

Login into Subordinate Server and open Certificate Authority console.

Right click on Certificate Template -> Manage and open Certificate Templates Console.

Select Web Server Template and right click  and Duplicate Web Server Template


On the General Tab, Change name to ConfigMgr Web Server Certificate


On the Compatibility Tab, Make sure Windows Server 2003 and Windows XP/ Server 2003 selected.

3On the Security tab,

Remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.

Click Add, enter the name of the ConfigMgr server name in the text box, and select the Enroll Permission and then click OK

ConfigMgr Web Server Certificate Created and we need to enable this.


Right click on Certificate Templates and choose the ConfigMgr Web Server Certificate and click ok.


ConfigMgr Web Server Certificate Template is now enabled on the Subordinate CA Server


On the ConfigMgr server, Open local Certificate Store and right click on the Personal -> All Tasks -> Request New Certificate


Select the ConfigMgr Web Server Certificate from the list and click here to configure settings.

In the Subject Tab, enter ConfigMgr server name and click Add under Alternative name


Configuration is completed and click to Enroll.

Configmgr Web Server Certificate enrollment is completed on the Configmgr server that runs IIS.


Now Open the Local Certificate Store (mmc-> Add or Remove Snap in-> Certificates) on the ConfigMgr server and expand to Personal -> Certificates to verify Web Server Certificate.


Open IIS console, Expand to Site. Right click on Default Web site and select Edit Bindings


Select the https entry and click edit.Select the Web Server certificate under SSL Certificate and click OK

Short Summary of Deploying Web Server Certificate,

  • On the subordinate CA server, Created Duplicate template of Web server template and named as Configmgr Web Server Certificate and removed Enroll permission to Domain Admins and Enterprise Admins and added Enroll Permission to ConfigMgr server.
  • Enabled Configmgr Web Server Certificate Template in Certificate Authority
  • Enrolled  Configmgr Web Server Certificate on the ConfigMgr server
  • Configured IIS to use Configmgr Web Server Certificate for https communication


In the Configuration Manager Server, Go to Administration –> Sites –> Right click and choose properties, go to client computer communication –> Choose use HTTPS and import the Root CA.crt (that was created earlier) under Trusted Root Certification Authorities.


Next, install SCCM client agent on the computers and it will use the client authentication certificate in the local personal store to communicate with the site server. Port would be used for communication is 443

After the installation ,you can verify PKI certificate enabled(under General tab) in the Configuration Agent properties on the client.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: