Note |
The information in this topic applies only to System Center
2012 R2 Configuration Manager. |
Before you can use Configuration Manager to enroll certificates
on devices and for users, you must perform the configuration steps
that this topic describes.
Steps to Configure Certificate
Enrollment in Configuration Manager
Supplemental Procedures to Configure
Certificate Enrollment in Configuration Manager
Use the following information when the steps in the
preceding table require supplemental procedures.
Step 1: Install and Configure the Network
Device Enrollment Service and Dependencies
You must install and configure the Network Device
Enrollment Service role service for Active Directory Certificate
Services (AD CS), change the security permissions on the
certificate templates, deploy a public key infrastructure (PKI)
client authentication certificate, and edit the registry to
increase the Internet Information Services (IIS) default URL size
limit. If necessary, you must also configure the issuing
certification authority (CA) to allow a custom validity period.
Important |
Before you configure Configuration Manager to work with the
Network Device Enrollment Service, verify the installation and
configuration of the Network Device Enrollment Service. If these
dependencies are not working correctly, you will have difficulty
troubleshooting certificate enrollment by using Configuration
Manager. |
To install and configure the Network
Device Enrollment Service and dependencies
-
On a server that is running Windows
Server 2012 R2, install and configure the Network Device
Enrollment Service role service for the Active Directory
Certificate Services server role. For more information, see
Network Device Enrollment Service
Guidance in the Active Directory Certificate Services library
on TechNet.
-
Check, and if necessary, modify the security
permissions for the certificate templates that the Network Device
Enrollment Service is using:
- For the account that runs the Configuration
Manager console: Read permission.
This permission is required so that when you run the Create
Certificate Profile Wizard, you can browse to select the
certificate template that you want to use when you create a SCEP
settings profile. Selecting a certificate template means that some
settings in the wizard are automatically populated, so there is
less for you to configure and there is less risk of selecting
settings that are not compatible with the certificate templates
that the Network Device Enrollment Service is using.
- For the SCEP Service account that the Network
Device Enrollment Service application pool uses: Read and
Enroll permissions.
This requirement is not specific to Configuration Manager but is
part of configuring the Network Device Enrollment Service. For more
information, see Network Device Enrollment Service
Guidance in the Active Directory Certificate Services library
on TechNet.
Tip |
To identify which certificate templates the Network Device
Enrollment Service is using, view the following registry key on the
server that is running the Network Device Enrollment Service:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP. |
-
Deploy to this server a PKI certificate that supports
client authentication. You might already have a suitable
certificate installed on the computer that you can use, or you
might have to (or prefer to) deploy a certificate specifically for
this purpose. For more information about the requirements for this
certificate, refer to the details for “Servers running the
Configuration Manager Policy Module with the Network Device
Enrollment Service role service” in the
PKI Certificates for Servers section in the PKI Certificate
Requirements for Configuration Manager topic.
-
Locate the root certificate that the client
authentication certificate chains to. Then, export this root CA
certificate to a certificate (.cer) file. Save this file to a
secured location that you can securely access when you later
install and configure the site system server for the certificate
registration point.
-
On the same server, use the registry editor to increase
the IIS default URL size limit by setting the following registry
keys in HKEY_LOCAL_MACHINE\
CurrentControlSet\Services\HTTP\Parameters:
- Set the MaxFieldLength key to
65534.
- Set the MaxRequestBytes key to
16777216.
For more information, see article 820129: Http.sys registry settings for
Windows in the Microsoft Knowledge Base.
-
On the same server, in Internet Information Services
(IIS) Manager, modify the request-filtering settings for the
/certsrv/mscep application, and then restart the server. In the
Edit Request Filtering Settings dialog box, the Request
Limits settings should be as follows:
- Maximum allowed content length
(Bytes): 30000000
- Maximum URL length (Bytes):
65534
- Maximum query string (Bytes):
65534
For more information about these settings and how to
configure them, see Requests Limits in the IIS Reference
Library.
-
If you want to be able to request a certificate that
has a lower validity period than the certificate template that you
are using: This configuration is disabled by default for an
enterprise CA. To enable this option on an enterprise CA, use the
Certutil command-line tool, and then stop and restart the
certificate service by using the following commands:
- certutil - setreg Policy\EditFlags
+EDITF_ATTRIBUTEENDDATE
- net stop certsvc
- net start certsvc
For more information, see Certificate Services Tools and Settings
in the PKI Technologies library on TechNet.
-
Verify that the Network Device Enrollment Service is
working by using the following link as an example:
https://server.contoso.com/certsrv/mscep/mscep.dll. You
should see the built-in Network Device Enrollment Service webpage.
This webpage explains what the service is and explains that network
devices use the URL to submit certificate requests.
Now that the Network Device Enrollment Service and
dependencies are configured, you are ready to install and configure
the certificate registration point.
Step 2: Install and Configure the
Certificate Registration Point
You must install and configure at least one certificate
registration point in the Configuration Manager hierarchy, and you
can install this site system role in the central administration
site or in a primary site.
To install and configure the
certificate registration point
-
In the Configuration Manager console, click
Administration.
-
In the Administration workspace, expand Site
Configuration, click Servers and Site System Roles, and
then select the server that you want to use for the certificate
registration point.
-
On the Home tab, in the Server group,
click Add Site System Roles.
-
On the General page, specify the general
settings for the site system, and then click Next.
-
On the Proxy page, click Next. The
certificate registration point does not use Internet proxy
settings.
-
On the System Role Selection page, select
Certificate registration point from the list of available
roles, and then click Next.
-
On the Certificate Registration Point page,
accept or change the default settings, and then click
Add.
-
In the Add URL and Root CA Certificate dialog
box, specify the following, and then click OK:
- URL for the Network Device Enrollment Service: Specify
the URL in the following format: https://<server_FQDN>/certsrv/mscep/mscep.dll. For example, if
the FQDN of your server that is running the Network Device
Enrollment Service is server1.contoso.com, type
https://server1.contoso.com/certsrv/mscep/mscep.dll.
- Root CA Certificate: Browse to and select the
certificate (.cer) file that you created and saved in Step 1:
Install and configure the Network Device Enrollment Service and
dependencies. This root CA certificate allows the certificate
registration point to validate the client authentication
certificate that the Configuration Manager Policy Module will
use.
Note |
If you are using more than one server that is running the
Network Device Enrollment Service, click Add to specify the
details for the other servers. |
-
Click Next and complete the wizard.
-
Wait a few minutes to let the installation finish, and
then verify that the certificate registration point was installed
successfully by using any of the following methods:
- In the Monitoring workspace, expand
System Status, click Component Status, and look for
status messages from the SMS_CERTIFICATE_REGISTRATION_POINT
component.
- On the site system server, use the
<ConfigMgr Installation Path>\Logs\crpsetup.log file
and <ConfigMgr Installation Path>\Logs\crpmsi.log
file. A successful installation will return an exit code of 0.
- By using a browser, verify that you can
connect to the URL of the certificate registration point—for
example, https://server1.contoso.com/CMCertificateRegistration. You
should see a Server Error page for the application name,
with an HTTP 404 description.
-
Locate the exported certificate file for the root CA
that the certificate registration point automatically created in
the following folder on the primary site server computer: <ConfigMgr Installation Path>\inboxes\certmgr.box.
Save this file to a secured location that you can securely access
when you later install the Configuration Manager Policy Module on
the server that is running the Network Device Enrollment
Service.
Tip |
This certificate is not immediately available in this folder.
You might need to wait awhile (for example, half an hour) before
Configuration Manager copies the file to this location. |
Now that the certificate registration point is
installed and configured, you are ready to install the
Configuration Manager Policy Module for the Network Device
Enrollment Service.
Step 3: Install the Configuration Manager
Policy Module
You must install and configure the Configuration
Manager Policy Module on each server that you specified in Step
2: Install and configure the certificate registration point as
URL for the Network Device Enrollment Service in the
properties for the certificate registration point.
To install the Policy Module
-
On the server that runs the Network Device Enrollment
Service, log on as a domain administrator and copy the following
files from the
<ConfigMgrInstallationMedia>\SMSSETUP\POLICYMODULE\X64 folder
on the Configuration Manager installation media to a temporary
folder:
- PolicyModule.msi
- PolicyModuleSetup.exe
In addition, if you have a LanguagePack folder on the
installation media, copy this folder and its contents.
-
From the temporary folder, run PolicyModuleSetup.exe to
start the Configuration Manager Policy Module Setup wizard.
-
On the initial page of the wizard, click Next,
accept the license terms, and then click Next.
-
On the Installation Folder page, accept the
default installation folder for the policy module or specify an
alternative folder, and then click Next.
-
On the Certificate Registration Point page,
specify the URL of the certificate registration point by using the
FQDN of the site system server and the virtual application name
that is specified in the properties for the certificate
registration point. The default virtual application name is
CMCertificateRegistration. For example, if the site system server
has an FQDN of server1.contoso.com and you used the default virtual
application name, specify
https://server1.contoso.com/CMCertificateRegistration.
-
Accept the default port of 443 or specify the
alternative port number that the certificate registration point is
using, and then click Next.
-
On the Client Certificate for the Policy Module
page, browse to and specify the client authentication certificate
that you deployed in Step 1: Install and configure the Network
Device Enrollment Service and dependencies, and then click
Next.
-
On the Certificate Registration Point
Certificate page, click Browse to select the exported
certificate file for the root CA that you located and saved at the
end of Step 2: Install and configure the certificate
registration point.
Note |
If you did not previously save this certificate file, it is
located in the <ConfigMgr Installation
Path>\inboxes\certmgr.box on the site server computer. |
-
Click Next and complete the wizard.
Now that you have completed the configuration steps to
install the Network Device Enrollment Service and dependencies, the
certificate registration point, and the Configuration Manager
Policy Module, you are ready to deploy certificates to users and
devices by creating and deploying certificate profiles. For more
information about how to create certificate profiles, see How to Create
Certificate Profiles in Configuration Manager.
If you want to uninstall the Configuration Manager
Policy Module, use Programs and Features in Control
Panel.
See Also