Step-By-Step Example Deployment of the PKI Certificates

Required for Configuration Manager Native Mode

[Topics referencing Configuration Manager 2007 R2 are pre-release documentation and are
subject to change in future releases.]

This step-by-step example has contains procedures that guide you through the process of
creating and deploying the public key infrastructure (PKI) certificates that Configuration Manager
2007 requires to operate in native mode. Native mode offers the highest level of security for a
Configuration Manager 2007 site, and it is a requirement for Internet-based client management.
For more information about native mode in Configuration Manager, see Benefits of Using Native
Mode.

The procedures in this example refer to a Microsoft PKI solution, using an enterprise certification
authority (CA) and certificate templates. The steps are appropriate for a test network only, as a
proof of concept.

Because there is no single method of deployment for the required certificates, you will need to
consult your particular PKI deployment documentation for the necessary procedures and best
practices to deploy the required certificates for a production environment. For more information
about the possible deployment methods, see Deploying the PKI Certificates Required for Native
Mode.

Note

The use of a Microsoft PKI solution is recommended to support Configuration Manager 2007,
but it is not required. Configuration Manager 2007 uses standard PKI certificates, supporting
version 3 of the x.509 certificate format. If your existing PKI deployment can create, deploy, and
manage the certificates that Configuration Manager 2007 requires for native mode, you can
use your existing PKI infrastructure. Consult your PKI documentation for deployment details.
In This Section
This example contains the following sections, which cover creating and deploying the basic
certificates that are required for a Configuration Manager 2007 site to operate in native mode:

Test Network Requirements

Overview

Installing and Deploying the Site Server Signing Certificate

Installing and Deploying the Web Server Certificate

Installing and Deploying the Client Certificate

Test Network Requirements
The example has the following requirements:

• The test network is running Active Directory Domain Services with Microsoft Windows
Server 2003, and it is installed as a single domain, single forest.
• You have a domain controller running Windows Server 2003 Enterprise Edition, Service
Pack 1, which has the following items installed on it:
• Group Policy Management Console

• Internet Information Services (IIS)

• Certificate Services installed as an enterprise root certification authority (CA)

Note

Ensure IIS is installed before installing Certificate Services so that Web enrollment is
configured.
• You have one computer that has Windows Server 2003 (Standard Edition or Enterprise
Edition) Service Pack 1 installed on it and designated as a member server, and you
have Internet Information Services (IIS) installed on it.
• You have one Windows Professional XP client with the latest service pack installed, and
this computer is configured with a computer name that comprises ASCII characters.
• You can log in with a root domain administrator account or an enterprise domain
administrator account and use this account for all procedures in this example
deployment.

Note

The Group Policy Management Console (GPMC) is the recommended add-on for managing
Group Policy in Active Directory Domain Services. For more information on GPMC and to
download the latest version, see the Web page "Enterprise Management with the Group Policy
Management Console" (http://go.microsoft.com/fwlink/?LinkId=79386).
Overview
PKI certificates must be installed prior to installing Configuration Manager 2007 in native mode.
This example does not include installing and configuring Configuration Manager 2007, but it
provides the steps to provision computers with the certificates they require to operate in
Configuration Manager 2007 native mode.

The following table lists the three types of PKI certificates that are required and describes how
they are used in a native mode Configuration Manager 2007 site:

Certificate
Requirement Certificate Description
Site server This certificate is installed on the server that will be the Configuration
signing certificate Manager 2007 site server. It is used to sign client policies.
Web server This certificate is installed on servers that will be Configuration
certificate Manager 2007 site systems, with roles such as the management point and
distribution point. It is used to encrypt data and authenticate the server to
clients.
Client certificate This certificate is installed on computers that will be Configuration
Manager 2007 clients, and on the management point. It is used to
authenticate the client to site systems, and on the management point it is
used to monitor the server's health.
For more information about the certificates, see Certificate Requirements for Native Mode.

Follow the steps in this example to achieve the following goals:

• Provision the member server with a Configuration Manager 2007 site server signing
certificate so that it can operate as a Configuration Manager 2007 site server in native
mode.
• Provision the member server with a Web server certificate so that it can operate as a
Configuration Manager 2007 site system server in native mode that can run any of these
Configuration Manager site system roles: management point, distribution point, software
update point, and state migration point.
• Provision a workstation and the member server with a client certificate so that the
workstation can operate as a Configuration Manager 2007 native mode client, and so that
the management point can report its status to the site server.

Installing and Deploying the Site Server Signing Certificate

This step has four procedures:

• Creating and Issuing the Site Server Signing Certificate Template on the Certification
Authority
• Requesting the Site Server Signing Certificate for the Server That Will Run the
Configuration Manager 2007 Site Server
• Approving the Site Server Signing Certificate on the Certification Authority

• Installing the Site Server Signing Certificate on the Server That Will Run the
Configuration Manager 2007 Site Server

Creating and Issuing the Site Server Signing Certificate Template on the Certification
Authority
To create and issue the site server signing certificate template
1. On the domain controller running the Windows Server 2003 console, click Start,
Programs, Administrative Tools, Certification Authority.
 2. Expand the name of your certification authority (CA), and then click Certificate
Templates.

3. Right-click Certificate Templates, and click Manage to load the Certificates Templates
management console.

4. In the results pane, right-click the entry that displays Computer in the Template Display
Name column and then click Duplicate Template.

5. In the Properties of New Template dialog box, on the General tab, enter a template
name for the site server signing certificate template, such as ConfigMgr Site Server
Signing Certificate, and then select Publish certificate in Active Directory.

6. Click the Subject Name tab, and then click Supplied in the request.

7. Click the Extensions tab, make sure Application Policies is selected, and then click
Edit.

8. In the Edit Application Policies Extension dialog box, select Client Authentication,
press Shift and select Server Authentication, and then click Remove.

9. In the Edit Application Policies Extension dialog box, click Add.

10. In the Add Application Policy dialog box, select Document Signing as the only
application policy and then click OK.

11. In the Properties of New Template dialog box, you should now see listed as the
description of Application Policies: Document Signing.

12. Click the Issuance Requirement tab, and select CA certificate manager approval.

13. Click OK and close the Certificate Templates administrator console, certtmpl –
[Certificate Templates].

14. In Certification Authority, right-click Certificate Templates, click New, and then click
Certificate Template to Issue.

15. In the Enable Certificate Templates dialog box, select the new template you have just
created, ConfigMgr Site Server Signing Certificate, and then click OK.

Note
If you cannot complete steps 14 or 15, check that you are using the Enterprise Edition of
Windows Server 2003. Although you can configure templates with Windows
Server Standard Edition and Certificate Services, you cannot deploy certificates using
modified certificate templates unless you are using the Enterprise Edition of
Windows Server 2003.
16. Do not close Certification Authority.

Requesting the Site Server Signing Certificate for the Server That Will Run the
Configuration Manager 2007 Site Server
To request the site server signing certificate
1. On the member server, load Internet Explorer and connect to the Web enrollment service
with the address http://<server>/certsrv where <server> is the name or IP address of the
Enterprise CA.

2. On the Welcome page, select Request a certificate.

3. On the Request a Certificate page, select Advanced certificate request.

4. On the Advanced Certificate Request page, select Create and submit a request to
this CA.

5. On the Advanced Certificate Request page, specify the following:

• Under the Certificate Template section, select ConfigMgr Site Server Signing
Certificate for the Certificate Template.

Note

If you cannot see this certificate template displayed, check that you restarted the member
server (if it was running) after you configured the security group in the earlier procedure.
• Under the section Identifying Information for Offline Template, in the Name
text box enter the following: The site code of this site server is <xxx>,
where <xxx> is the site code of the site, and there is no punctuation at the end of the text
string. It is very important that this exact wording is used, because this forms the
certificate Subject Name, which is used to identify the site server signing certificate.
• Under the section Key Options, enable Store certificate in the local computer
certificate store.
• Under the section Additional Options, enter your choice for Friendly Name,
such as ConfigMgr site server certificate.

6. Click Submit.
 7. On the Certificate Pending page, you will see that your certificate request has been
received but requires an administrator to issue the certificate. Make a note of the
displayed Request ID.

8. Do not exit Internet Explorer.

Approving the Site Server Signing Certificate on the Certification Authority

To approve the site server signing certificate
1. On the domain controller, in Certification Authority, click Pending Requests.

2. In the results pane, you will see the requested certificate with the Request ID displayed
on the Web enrollment page.

3. Right-click the requested certificate, click All Tasks, and then click Issue.

4. Close Certification Authority.

Installing the Site Server Signing Certificate on the Server That Will Run the Configuration
Manager 2007 Site Server
To approve the site server signing certificate
1. On the member server, on the Microsoft Certificate Services Web page, click Home on
the top right side to return to the Welcome page.

2. On the Welcome page, click View the status of a pending certificate request.

3. On the View the Status of a Pending Certificate Request page, click the hyperlink that
displays the friendly name you supplied for the site server signing certificate, and the date
and time in parentheses it was requested.

4. On the Certificate Issued Web page, click Install this certificate.

5. If you are prompted with a Potential Scripting Violation warning message, click Yes.

6. The final page should display that your new certificate has been successfully installed.

7. Close Internet Explorer.

The member server is now provisioned with a Configuration Manager 2007 site server signing
certificate.

Installing and Deploying the Web Server Certificate

This step has four procedures:
 • Creating a Windows Security Group for the Site System Servers

• Creating and Issuing the Web Server Signing Certificate Template on the Certification
Authority
• Requesting the Web Server Certificate

• Configuring IIS to Use the Web Server Certificate

Creating a Windows Security Group for the Site System Servers (Management Point,
Distribution Point, Software Update Point, State Migration Point)
To create a Windows security group for the site system server
1. On the domain controller, click Start, Programs, Administrative Tools, Active
Directory Users and Computers.

2. Right-click the domain, click New, and then click Group.

3. In the New Object – Group dialog box, enter ConfigMgr IIS Servers as the Group
name and then click OK.

4. In Directory Users and Computers, right-click the group you have just created and then
click Properties.

5. Click the Members tab, and then click Add to select the member server.

Note

In our test environment, there is only one server to add. However, in a production environment,
it is likely that various servers will host the Configuration Manager 2007 site systems that
require certificates, such as the site's management point and distribution points. It is therefore
good practice to assign permissions to a group and add the site systems that require the same
type of certificate. Creating a security group for these servers enables you to assign
permissions so that only these servers can use these certificates.
6. Click OK, and then click OK again to close the group properties dialog box.

7. Restart your member server (if running) so that it can pick up the new group membership.

Creating and Issuing the Web Server Signing Certificate Template on the Certification
Authority
To create and issue the Web server signing certificate template on the certification authority
1. On the domain controller, while still running the Certification Authority management
console, right-click Certificate Templates and click Manage to load the Certificate
Templates management console.
 2. In the results pane, right-click the entry that displays Web Server in the column
Template Display Name, and then click Duplicate Template.

3. In the Properties of New Template dialog box, on the General tab, enter a template
name to generate the Web certificates that will be used on Configuration Manager site
systems, such as ConfigMgr Web Server Certificate.

4. Click the Subject Name tab, select Build from this Active Directory information, and
then select one of the following for the Subject name format:

• Common name: Select this option if you will use fully qualified domain names for
site systems in Configuration Manager (required for Internet-based client management,
and recommended for clients on the intranet).
• Fully distinguished name: Select this option if you will not use fully qualified
domain names in Configuration Manager.

5. Click the Security tab, and remove the Enroll permission from the security groups
Domain Admins and Enterprise Admins.

6. Click Add, enter ConfigMgr IIS Servers in the text box, and then click OK.

7. Select the following Allow permissions for this group: Read, Enroll, and Autoenroll.

8. Click OK and close the Certificate Templates management console, certtmpl –
[Certificate Templates].

9. In the Certification Authority management console, right-click Certificate Templates,

click New, and then click Certificate Template to Issue.

10. In the Enable Certificate Templates dialog box, select the new template you have just
created, ConfigMgr Web Server Certificate, and then click OK.

11. Do not close Certification Authority.

Requesting the Web Server Certificate

To request the Web server certificate
1. Restart the member server to ensure it can access the certificate template with the
configured permission.

2. Click Start, click Run, and type mmc.exe. In the empty console, click File and then click
Add/Remove Snap-in.
 3. In the Add/Remove Snap-in dialog box, click Add, click Certificates, and then click
Add.

4. In the Certificate snap-in dialog box, select Computer account and then click Next.

5. In the Select Computer dialog box, ensure Local computer: (the computer this
console is running on) is selected and then click Finish.

6. In the Add Standalone Snap-in dialog box, click Close.

7. In the Add/Remove Snap-in dialog box, click OK.

8. In the console that now displays Certificates (Local Computer), expand Certificates
(Local Computer) and then click Personal.

9. Right-click Certificates, click All Tasks, and then click Request New Certificate.

10. On the Welcome to the Certificate Request Wizard page, click Next.

11. On the Certificates Type page, select ConfigMgr Web Server Certificate from the list
of displayed certificates and then click Next.

12. On the Certificate Friendly Name and Description page, optionally enter a friendly
name and description to help you identify this certificate and then click Next.

13. On the Completing the Certificate Request Wizard page, click Finish.

14. You should see the Certificate Request Wizard dialog box informing you that the
certificate request was successful.

15. Close Certificates (Local Computer).

Configuring IIS to Use the Web Server Certificate

To configure IIS to use the Web server certificate
1. On the member server, click Start, click Programs, click Administrative Tools, and
then click Internet Information Services (IIS) Manager.

2. Expand Web Sites, right-click Default Web Site, and then select Properties.

3. Click the Directory Security tab, and then click Server Certificate.

4. On the Welcome to the Web Server Certificate Wizard page, click Next.
 5. On the Server Certificate page, click Assign an existing certificate and then click
Next.

6. On the Available Certificates page, select the Web server certificate you have just
requested, identify it by the Intended Purpose field that has a value of Server
Authentication and the Friendly Name you supplied, and then click Next.

7. On the SSL Port page, accept the default port number of 443 and then click Next.

8. On the Certificate Summary page, click Next.

9. On the Completing the Web Server Certificate Wizard page, click Finish.

10. Click OK to close the Default Web Site Properties.

11. Close Internet Information Services (IIS) Manager.

The member server is now provisioned with a Configuration Manager 2007 Web server
certificate.

Installing and Deploying the Client Certificate

This step has two procedures:

• Configuring Autoenrollment of the Computer Template Using Group Policy

• Automatically Enrolling the Computer Certificate and Verifying Its Installation on

Computers

Configuring Autoenrollment of the Computer Template Using Group Policy

To configure autoenrollment of the computer template using Group Policy
1. On the domain controller, click Start, click Administrative Tools, and then click Group
Policy Management.

2. Right-click the domain, and then select Create and Link a GPO Here.

Note

This step uses the best practice of creating a new Group Policy for custom settings rather than
editing the Default Domain Policy that is installed with Active Directory Domain Services. By
assigning this Group Policy at the domain level, you will apply it to all computers in the domain.
However, on a production environment you can restrict the autoenrollment so that it enrolls on
only selected computers by either assigning the Group Policy at an organizational unit (OU)
level, or you can filter the domain Group Policy with a security group so that it applies only to
the computers in the group. If you restrict autoenrollment, remember to include the server that
is configured as the management point.
3. In the New GPO dialog box, enter a name for the new Group Policy, such as Autoenroll
Certificates, and click OK.

4. In the results pane, on the Linked Group Policy Objects tab, right-click the new Group
Policy and then click Edit.

5. In the Group Policy Object Editor, navigate to Computer Configuration / Windows

Settings / Security Settings / Public Key Policies.

6. Right-click Automatic Certificate Request Settings, click New, and then click
Automatic Certificate Request.

7. In the Welcome to the Automatic Certificate Request Setup Wizard, click Next.

8. On the Certificate Template page, select Computer from the list of available certificate
templates and then click Next.

9. On the Completing the Automatic Certificate Request Setup Wizard page, click
Finish.

10. Close Group Policy Management.

Automatically Enrolling the Computer Certificate and Verifying Its Installation on

Computers
To automatically enroll the computer certificate and verify its installation on the client computer
1. Restart the workstation computer, and wait a few minutes before logging on.

Note

Restarting a computer is the most reliable method of ensuring success with certificate
autoenrollment.
2. Log on with an account that has administrative privileges.

3. Click Start, click Run, and then type mmc.exe.

4. In the empty management console, click File, and then click Add/Remove Snap-in.

5. In the Add/Remove Snap-in dialog box, click Add, click Certificates, and then click
Add.

6. In the Certificate snap-in dialog box, select Computer account and then click Next.
 7. In the Select Computer dialog box, ensure Local computer: (the computer this
console is running on) is selected and then click Finish.

8. In the Add Standalone Snap-in dialog box, click Close.

9. In the Add/Remove Snap-in dialog box, click OK.

10. In the console that now displays Certificates (Local Computer), expand Certificates
(Local Computer) and then click Personal.

11. In the results pane, confirm a certificate is displayed that has Client Authentication
displayed in the Intended Purpose field and Computer displayed in the Certificate
Template field.

12. Close Certificates (Local Computer).

13. Repeat steps 1 through 12 for the member server to verify that the server that will be
configured as the management point also has a client certificate.

The workstation and member server are now provisioned with a Configuration Manager 2007
client certificate.

See Also
Tasks
How to Migrate the Site Mode from Mixed Mode to Native Mode
Concepts
Administrator Workflow: Deploying the PKI Requirements for Native Mode
Administrator Checklist: Deploying the PKI Requirements for Native Mode
Benefits of Using Native Mode
Certificate Requirements for Native Mode
Overview of Internet-Based Client Management
Prerequisites for Native Mode