PKI Certificate Requirements for Configuration Manager

The public key infrastructure (PKI) certificates that you might require for System Center 2012 Configuration Manager are listed in the following tables. This information assumes basic knowledge of PKI certificates. For step-by-step guidance for an example deployment of these certificates, see Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority. For more information about Active Directory Certificate Services, see Active Directory Certificate Services in Windows Server 2008.

With the exception of the client certificates that Configuration Manager enrolls on mobile devices and Mac computers, the certificates that Windows Intune automatically creates for managing mobile devices, and the certificates that Configuration Manager installs on AMT-based computers, you can use any PKI to create, deploy, and manage the following certificates. However, when you use Active Directory Certificate Services and certificate templates, this Microsoft PKI solution can ease the management of the certificates. Use the Microsoft certificate template to use column in the following tables to identify the certificate template that most closely matches the certificate requirements. Template-based certificates can be issued only by an enterprise certification authority running on the Enterprise Edition or Datacenter Edition of the server operating system, such as Windows Server 2008 Enterprise and Windows Server 2008 Datacenter.

Important
When you use an enterprise certification authority and certificate templates, do not use the version 3 templates (Windows Server 2008, Enterprise Edition). These certificate templates create certificates that are incompatible with Configuration Manager.

Use the following sections to view the certificate requirements.

PKI Certificates for Servers

Configuration Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

Site systems that run Internet Information Services (IIS) and that are configured for HTTPS client connections:

Management point
Distribution point
Software update point
State migration point
Enrollment point
Enrollment proxy point
Application Catalog web service point
Application Catalog website point

Server authentication

Web Server

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1).

If the site system accepts connections from the Internet, the Subject Name or Subject Alternative Name must contain the Internet fully qualified domain name (FQDN).

If the site system accepts connections from the intranet, the Subject Name or Subject Alternative Name must contain either the intranet FQDN (recommended) or the computer's name, depending on how the site system is configured.

If the site system accepts connections from both the Internet and the intranet, both the Internet FQDN and the intranet FQDN (or computer name) must be specified by using the ampersand (&) symbol delimiter between the two names.

Important
When the software update point accepts client connections from the Internet only, the certificate must contain both the Internet FQDN and the intranet FQDN.

SHA-1 and SHA-2 hash algorithms are supported.

Configuration Manager does not specify a maximum supported key length for this certificate. Consult your PKI and IIS documentation for any key-size–related issues for this certificate.

This certificate must reside in the Personal store in the Computer certificate store.

This web server certificate is used to authenticate these servers to the client and to encrypt all data transferred between the client and these servers by using Secure Sockets Layer (SSL).

Cloud-based distribution point

Server authentication

Web Server

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1).

The Subject Name must contain a customer-defined service name and domain name in an FQDN format as the Common Name for the specific instance of the cloud-based distribution point.

The private key must be exportable.

SHA-1 and SHA-2 hash algorithms are supported.

Supported key lengths: 2048 bits.

For Configuration Manager SP1 only:

This service certificate is used to authenticate the cloud-based distribution point service to Configuration Manager clients and to encrypt all data transferred between them by using Secure Sockets Layer (SSL).

This certificate must be exported in a Public Key Certificate Standard (PKCS #12) format, and the password must be known so that it can be imported when you create a cloud-based distribution point.

Note
This certificate is used in conjunction with the Windows Azure management certificate. For more information about this certificate, see How to Create a Management Certificate and How to Add a Management Certificate to a Windows Azure Subscription in the Windows Azure Platform section of the MSDN Library.

Network Load Balancing (NLB) cluster for a software update point

Server authentication

Web server

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1).

The FQDN of the NLB cluster in the Subject Name field, or Subject Alternative Name field:
- For network load balancing servers that support Internet-based client management, use the Internet NLB FQDN.
- For network load balancing servers that support intranet clients, use the intranet NLB FQDN.
The computer name of the site system in the NLB cluster in the Subject Name field or Subject Alternative Name field. This server name must be specified after the NLB cluster name and the ampersand (&) symbol delimiter:
- For site systems on the intranet, use the intranet FQDN if you specify them (recommended) or the computer NetBIOS name.
- For site systems supporting Internet-based client management, use the Internet FQDN.

SHA-1 and SHA-2 hash algorithms are supported.

For System Center 2012 Configuration Manager with no service pack:

This certificate is used to authenticate the network load balancing software update point to the client, and to encrypt all data transferred between the client and these servers by using SSL.

Note
This certificate is applicable to Configuration Manager with no service pack only because NLB software update points are not supported in Configuration Manager SP1.

Site system servers that run Microsoft SQL Server

Server authentication

Web server

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1).

The Subject Name must contain the intranet fully qualified domain name (FQDN).

SHA-1 and SHA-2 hash algorithms are supported.

Maximum supported key length is 2048 bits.

This certificate must reside in the Personal store in the Computer certificate store and Configuration Manager automatically copies it to the Trusted People Store for servers in the Configuration Manager hierarchy that might have to establish trust with the server.

These certificates are used for server-to-server authentication.

SQL Server cluster: Site system servers that run Microsoft SQL Server

Server authentication

Web server

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1).

The Subject Name must contain the intranet fully qualified domain name (FQDN) of the cluster.

The private key must be exportable.

The certificate must have a validity period of at least two years when you configure Configuration Manager to use the SQL Server cluster.

SHA-1 and SHA-2 hash algorithms are supported.

Maximum supported key length is 2048 bits.

After you have requested and installed this certificate on one node in the cluster, export the certificate and import it to each additional node in the SQL Server cluster.

These certificates are used for server-to-server authentication.

Site system monitoring for the following site system roles:

Management point
State migration point

Client authentication

Workstation Authentication

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

Computers must have a unique value in the Subject Name field or in the Subject Alternative Name field.

Note
If you are using multiple values for the Subject Alternative Name, only the first value is used.

SHA-1 and SHA-2 hash algorithms are supported.

Maximum supported key length is 2048 bits.

This certificate is required on the listed site system servers, even if the System Center 2012 Configuration Manager client is not installed, so that the health of these site system roles can be monitored and reported to the site.

The certificate for these site systems must reside in the Personal store of the Computer certificate store.

Site systems that have a distribution point installed

Client authentication

Workstation Authentication

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

There are no specific requirements for the certificate Subject or Subject Alternative Name (SAN), and you can use the same certificate for multiple distribution points.

The private key must be exportable.

SHA-1 and SHA-2 hash algorithms are supported.

Maximum supported key length is 2048 bits.

This certificate has two purposes:

It authenticates the distribution point to an HTTPS-enabled management point before the distribution point sends status messages.
When the Enable PXE support for clients distribution point option is selected, the certificate is sent to computers that so that if task sequences in the operating system deployment process include client actions such as client policy retrieval or sending inventory information, the client computers can connect to a HTTPS-enabled management point during the deployment of the operating system.

This certificate is used for the duration of the operating system deployment process only and is not installed on the client. Because of this temporary use, the same certificate can be used for every operating system deployment if you do not want to use multiple client certificates.

This certificate must be exported in a Public Key Certificate Standard (PKCS #12) format, and the password must be known so that it can be imported into the distribution point properties.

Note
The requirements for this certificate are the same as the client certificate for boot images for deploying operating systems. Because the requirements are the same, you can use the same certificate file.

Out of band service point

AMT Provisioning

Web Server (modified)

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1) and the following object identifier: 2.16.840.1.113741.1.2.3.

The subject name field must contain the FQDN of the server that is hosting the out of band service point.

Note

If you request an AMT provisioning certificate from an external CA instead of from your own internal CA, and it does not support the AMT provisioning object identifier of 2.16.840.1.113741.1.2.3, you can alternatively specify the following text string as an organizational unit (OU) attribute in the certificate subject name: Intel(R) Client Setup Certificate. This exact text string in English must be used, in the same case, without a trailing period, and in addition to the FQDN of the server that is hosting the out of band service point.

SHA-1 is the only supported hash algorithm.

Supported key lengths: 1024 and 2048. For AMT 6.0 and later versions, the key length of 4096 bits is also supported.

This certificate resides in the Personal store in the Computer certificate store of the out of band service point site system server.

This AMT provisioning certificate is used to prepare computers for out of band management.

You must request this certificate from a CA that supplies AMT provisioning certificates, and the BIOS extension for the Intel AMT-based computers must be configured to use the root certificate thumbprint (also referred to as the certificate hash) for this provisioning certificate.

VeriSign is a typical example of an external CA that provides AMT provisioning certificates, but you can also use your own internal CA.

Install the certificate on the server that hosts the out of band service point, which must be able to chain successfully to the certificate's root CA. (By default, the root CA certificate and intermediate CA certificate for VeriSign are installed when Windows installs.)

Site system server that runs the Windows Intune connector

Client authentication

Not applicable: Windows Intune automatically creates this certificate.

Enhanced Key Usage value contains Client Authentication (1.3.6.1.5.5.7.3.2).

3 custom extensions uniquely identify the customer Windows Intune subscription.

The key size is 2048 bits and uses the SHA-1 hash algorithm.

Note
You cannot change these settings: This information is provided for informational purposes only.

This certificate is automatically requested and installed to the Configuration Manager database when you subscribe to Windows Intune. When you install the Windows Intune connector, this certificate is then installed on the site system server that runs the Windows Intune connector. It is installed into the Computer certificate store.

This certificate is used to authenticate the Configuration Manager hierarchy to Windows Intune by using the Windows Intune connector. All data that is transferred between them uses Secure Sockets Layer (SSL).

Proxy Web Servers for Internet-Based Client Management

Note
If you are using a proxy web server without SSL termination (tunneling), no additional certificates are required on the proxy web server.

Network infrastructure component	Certificate purpose	Microsoft certificate template to use	Specific information in the certificate	How the certificate is used in Configuration Manager
Proxy web server accepting client connections over the Internet	Server authentication and client authentication	Web Server Workstation Authentication	Internet FQDN in the Subject Name field or in the Subject Alternative Name field (if you are using Microsoft certificate templates, the Subject Alternative Name is available with the workstation template only). SHA-1 and SHA-2 hash algorithms are supported.	This certificate is used to authenticate the following servers to Internet clients and to encrypt all data transferred between the client and this server by using SSL: Internet-based management point Internet-based distribution point Internet-based software update point The client authentication is used to bridge client connections between the System Center 2012 Configuration Manager clients and the Internet-based site systems.

PKI Certificates for Clients

Configuration Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

Windows client computers

Client authentication

Workstation Authentication

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

Client computers must have a unique value in the Subject Name field or in the Subject Alternative Name field.

Note
If you are using multiple values for the Subject Alternative Name, only the first value is used.

SHA-1 and SHA-2 hash algorithms are supported.

Maximum supported key length is 2048 bits.

By default, Configuration Manager looks for computer certificates in the Personal store in the Computer certificate store.

With the exception of the software update point and the Application Catalog website point, this certificate authenticates the client to site system servers that run IIS and that are configured to use HTTPS.

Mobile device clients

Client authentication

Authenticated Session

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

SHA-1 is the only supported hash algorithm.

Maximum supported key length is 2048 bits.

Important
These certificates must be in Distinguished Encoding Rules (DER) encoded binary X.509 format. Base64 encoded X.509 format is not supported.

This certificate authenticates the mobile device client to the site system servers that it communicates with, such as management points and distribution points.

Boot images for deploying operating systems

Client authentication

Workstation Authentication

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

There are no specific requirements for the certificate Subject Name field or Subject Alternative Name (SAN), and you can use the same certificate for all boot mages.

The private key must be exportable.

SHA-1 and SHA-2 hash algorithms are supported.

Maximum supported key length is 2048 bits.

The certificate is used if task sequences in the operating system deployment process include client actions such as client policy retrieval or sending inventory information.

This certificate is used for the duration of the operating system deployment process only and is not installed on the client. Because of this temporary use, the same certificate can be used for every operating system deployment if you do not want to use multiple client certificates.

This certificate must be exported in a Public Key Certificate Standard (PKCS #12) format, and the password must be known so that it can be imported into the Configuration Manager boot images.

Note
The requirements for this certificate are the same as the server certificate for site systems that have a distribution point installed. Because the requirements are the same, you can use the same certificate file.

Mac client computers

Client authentication

For Configuration Manager enrollment:Authenticated Session

For certificate installation independent from Configuration Manager: Workstation Authentication

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

For Configuration Manager that creates a User certificate, the certificate Subject value is automatically populated with the user name of the person who enrolls the Mac computer.

For certificate installation that does not use Configuration Manager enrollment but deploys a Computer certificate independently from Configuration Manager, the certificate Subject value must be unique. For example, specify the FQDN of the computer.

The Subject Alternative Name field is not supported.

SHA-1 and SHA-2 hash algorithms are supported.

Maximum supported key length is 2048 bits.

For Configuration Manager SP1 only:

This certificate authenticates the Mac client computer to the site system servers that it communicates with, such as management points and distribution points.

Linux and UNIX client computers

Client authentication

Workstation Authentication

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

The Subject Alternative Name field is not supported.

The private key must be exportable.

SHA-1 hash algorithm is supported.

SHA-2 hash algorithm is supported if the operating system of the client supports SHA-2. For more information, see the About Linux and UNIX Operating Systems That do not Support SHA-256 section in the Planning for Client Deployment for Linux and UNIX Servers topic.

Supported key lengths: 2048 bits.

Important
These certificates must be in Distinguished Encoding Rules (DER) encoded binary X.509 format. Base64 encoded X.509 format is not supported.

For Configuration Manager SP1 only:

This certificate authenticates the client for Linux and UNIX to the site system servers that it communicates with, such as management points and distribution points.

This certificate must be exported in a Public Key Certificate Standard (PKCS#12) format, and the password must be known so you can specify it to the client when you specify the PKI certificate.

For additional information, see the Planning for Security and Certificates for Linux and UNIX Servers section in Planning for Client Deployment for Linux and UNIX Servers topic.

Root certification authority (CA) certificates for the following scenarios:

Operating system deployment
Mobile device enrollment
RADIUS server authentication for Intel AMT-based computers
Client certificate authentication

Certificate chain to a trusted source

Not applicable.

Standard root CA certificate.

The root CA certificate must be provided when clients have to chain the certificates of the communicating server to a trusted source. This applies in the following scenarios:

When you deploy an operating system, and task sequences run that connect the client computer to a management point that is configured to use HTTPS.
When you enroll a mobile device to be managed by System Center 2012 Configuration Manager.
When you use 802.1X authentication for AMT-based computers, and you want to specify a file for the RADIUS server’s root certificate.

In addition, the root CA certificate for clients must be provided if the client certificates are issued by a different CA hierarchy than the CA hierarchy that issued the management point certificate.

Intel AMT-based computers

Server authentication.

Web Server (modified)

You must configure the Subject Name for Build from this Active Directory information, and then select Common name for the Subject name format.

You must grant Read and Enroll permissions to the universal security group that you specify in the out of band management component properties.

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1).

The Subject Name must contain the FQDN of the AMT-based computer, which is supplied automatically from Active Directory Domain Services.

SHA-1 is the only supported hash algorithm.

Maximum supported key length: 2048 bits.

This certificate resides in the nonvolatile random access memory of the management controller in the computer and is not viewable in the Windows user interface.

Each Intel AMT-based computer requests this certificate during AMT provisioning and for subsequent updates. If you remove AMT provisioning information from these computers, they revoke this certificate.

When this certificate is installed on Intel AMT-based computers, the certificate chain to the root CA is also installed. AMT-based computers cannot support CA certificates with a key length larger than 2048 bits.

After the certificate is installed on Intel AMT-based computers, this certificate authenticates the AMT-based computers to the out of band service point site system server and to computers that are run the out of band management console, and encrypts all data transferred between them by using Transport Layer Security (TLS).

Intel AMT 802.1X client certificate

Client authentication

Workstation Authentication

You must configure the Subject Name for Build from this Active Directory information, and then select Common name for the Subject name format, clear the DNS name and select the User principal name (UPN) for the alternative subject name.

You must grant the universal security group that you specify in the out of band management component properties Read and Enroll permissions to this certificate template.

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

The subject name field must contain the FQDN of the AMT-based computer and the subject alternative name must contain the UPN.

Maximum supported key length: 2048 bits.

This certificate resides in the nonvolatile random access memory of the management controller in the computer and is not viewable in the Windows user interface.

Each Intel AMT-based computer can request this certificate during AMT provisioning but they do not revoke this certificate when their AMT provisioning information is removed.

After the certificate is installed on AMT-based computers, this certificate authenticates the AMT-based computers to the RADIUS server so that it can then be authorized for network access.

Mobile devices that are enrolled by Windows Intune

Client authentication

Not applicable: Windows Intune automatically creates this certificate.

Enhanced Key Usage value contains Client Authentication (1.3.6.1.5.5.7.3.2).

3 custom extensions uniquely identify the customer Windows Intune subscription.

Users can supply the certificate Subject value during enrollment. However, this value is not used by Windows Intune to identify the device.

The key size is 2048 bits and uses the SHA-1 hash algorithm.

Note
You cannot change these settings: This information is provided for informational purposes only.

This certificate is automatically requested and installed when authenticated users enroll their mobiles devices by using Windows Intune. The resulting certificate on the device resides in the Computer store and authenticates the enrolled mobile device to Windows Intune, so that it can then be managed.

Because of the custom extensions in the certificate, authentication is restricted to the Windows Intune subscription that has been established for the organization.

PKI Certificates for Servers

Proxy Web Servers for Internet-Based Client Management

PKI Certificates for Clients

See Also

Concepts