Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager 2012: Windows Server 2008 Certification Authority

Updated: March 15, 2011

Applies To: System Center Configuration Manager 2012

This step-by-step example deployment, which uses a Windows Server 2008 certification authority (CA), contains procedures to guide you through the process of creating and deploying the public key infrastructure (PKI) certificates that Microsoft System Center Configuration Manager 2012 uses. These procedures use an enterprise certification authority (CA) and certificate templates. The steps are appropriate for a test network only, as a proof of concept.

Because there is no single method of deployment for the required certificates, you will need to consult your particular PKI deployment documentation for the necessary procedures and best practices to deploy the required certificates for a production environment. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager 2012.

In This Section

The following sections include example step-by-step instructions to create and deploy the following certificates that can be used with Configuration Manager 2012:

Test Network Requirements

Overview

Deploying the Web Server Certificate for Site Systems that run IIS

Deploying the Client Certificate for Computers

Deploying the Enrollment Certificate for Mobile Devices

Deploying the Certificates for AMT

Test Network Requirements

The step-by-step instructions have the following requirements:

  • The test network is running Active Directory Domain Services with Windows Server 2008, and it is installed as a single domain, single forest.

  • You have a member server running Windows Server 2008 Enterprise Edition, which has installed on it the Active Directory Certificate Services role, and it is configured as an enterprise root certification authority (CA).

  • You have one computer that has Windows Server 2008 (Standard Edition or Enterprise Edition) installed on it and that is designated as a member server, and you have Internet Information Services (IIS) installed on it.

  • You have one Windows Vista client with the latest service pack installed, and this computer is configured with a computer name that comprises ASCII characters and is joined to the domain.

  • You can log in with a root domain administrator account or an enterprise domain administrator account and use this account for all procedures in this example deployment.

Overview of the Certificates

The following table lists the types of PKI certificates that might be required for Configuration Manager 2012 and describes how they are used:

 

Certificate Requirement Certificate Description
   

Web server certificate for site systems that run IIS

This certificate is used to encrypt data and authenticate the server to clients. It must be installed externally from Configuration Manager 2012 on site systems servers that run IIS and that are configured in Configuration Manager to use HTTPS.

Client certificate for computers

This certificate is used to authenticate Configuration Manager 2012 client computers to site systems that are configured to use HTTPS. It can also be used for management points and state migration points to monitor their operational status when they are configured to use HTTPS. It must be installed externally from Configuration Manager on computers.

Enrollment certificate for mobile devices

This certificate is used to authenticate Configuration Manager 2012 mobile device clients to site systems that are configured to use HTTPS. It must be installed as part of mobile device enrollment in Configuration Manager 2012 and you select the configured certificate template as a mobile device client setting.

Certificates for AMT

There are three certificates that relate to AMT management: An AMT provisioning certificate; an AMT web server certificate; and optionally, a client authentication certificate for 802.1X wired or wireless networks.

The AMT provisioning certificate must be installed externally from Configuration Manager on the out of band service point computer, and then you select the installed certificate in the out of band service point properties. The AMT web server certificate and the client authentication certificate are installed during AMT provisioning and management, and you select the configured certificate templates in the out of band management component properties.

Deploying the Web Server Certificate for Site Systems that Run IIS

This certificate deployment has the following procedures:

  • Creating and Issuing the Web Server Certificate Template on the Certification Authority

  • Requesting the Web Server Certificate

  • Configuring IIS to Use the Web Server Certificate

Creating and Issuing the Web Server Certificate Template on the Certification Authority

This procedure creates a certificate template for Configuration Manager 2012 site systems and adds it to the certification authority.

To create and issue the Web server certificate template on the certification authority

  1. Create a security group that contains the member servers to install Configuration Manager 2012 site systems that will run IIS.

  2. On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates and click Manage to load the Certificate Templates console.

  3. In the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template.

  4. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.

    ImportantImportant
    Do not select Windows 2008 Server, Enterprise Edition.

  5. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the Web certificates that will be used on Configuration Manager site systems, such as ConfigMgr Web Server Certificate.

  6. Click the Subject Name tab, click Build from this Active Directory information is selected, and then select one of the following for the Subject name format:

    • Common name: Select this option if you will use fully qualified domain names for site systems in Configuration Manager (required for Internet-based client management, and recommended for clients on the intranet).

    • Fully distinguished name: Select this option if you will not use fully qualified domain names in Configuration Manager.

  7. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.

  8. Click Add, enter ConfigMgr IIS Servers in the text box, and then click OK.

  9. Select the Enroll permission for this group, and do not clear the Read permission.

  10. Click OK, and close the Certificate Templates Console.

  11. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  12. In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr Web Server Certificate, and then click OK.

  13. If you do not need to create and issue any more certificate, close Certification Authority.

Requesting the Web Server Certificate

This procedure installs the web server certificate on to the member server that runs IIS.

To request the web server certificate

  1. Restart the member server that runs IIS, to ensure it can access the certificate template with the configured permission.

  2. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in.

  3. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.

  4. In the Certificate snap-in dialog box, select Computer account, and then click Next.

  5. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish.

  6. In the Add or Remove Snap-ins dialog box, click OK.

  7. In the console, expand Certificates (Local Computer), and then click Personal.

  8. Right-click Certificates, click All Tasks, and then click Request New Certificate.

  9. On the Before You Begin page, click Next.

  10. If you see the Select Certificate Enrollment Policy page, click Next.

  11. On the Request Certificates page, select ConfigMgr Web Server Certificate from the list of displayed certificates, and then click Enroll.

  12. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish.

  13. Close Certificates (Local Computer).

Configuring IIS to Use the Web Server Certificate

This procedure binds the installed certificate to the IIS Default Web Site.

To configure IIS to use the web server certificate

  1. On the member server that has IIS installed, click Start, click Programs, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. Expand Sites, right-click Default Web Site, and then select Edit Bindings.

  3. Click the https entry, and then click Edit.

  4. In the Edit Site Binding dialog box, select the certificate that you requested by using the ConfigMgr Web Server Certificates template, and then click OK.

    noteNote
    If you are not sure which is the correct certificate, select one, and then click View. This allows you to compare the selected certificate details with the certificates that are displayed with the Certificates snap-in. For example, the Certificates snap-in displays the certificate template that was used to request the certificate. You can then compare the certificate thumbprint of the certificate that was requested with the ConfigMgr Web Server Certificates template with the certificate thumbprint of the certificate currently selected in the Edit Site Binding dialog box.

  5. Click OK in the Edit Site Binding dialog box, and then click Close.

  6. Close Internet Information Services (IIS) Manager.

The member server is now provisioned with a Configuration Manager 2012 web server certificate.

Deploying the Client Certificate for Computers

This certificate deployment has the following procedures:

  • Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority

  • Configuring Autoenrollment of the Workstation Authentication Template by Using Group Policy

  • Automatically Enrolling the Workstation Authentication Certificate and Verifying Its Installation on Computers

Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority

This procedure creates a certificate template for Configuration Manager 2012 client computers and adds it to the certification authority.

To create and issue the Workstation Authentication certificate template on the certification authority

  1. On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.

  2. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.

  3. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.

    ImportantImportant
    Do not select Windows 2008 Server, Enterprise Edition.

  4. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client certificates that will be used on Configuration Manager client computers, such as ConfigMgr Client Certificate.

  5. Click the Security tab, select the Domain Computers group, and select the additional permissions of Read and Autoenroll. Do not clear Enroll.

  6. Click OK and close Certificate Templates Console.

  7. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  8. In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr Client Certificate, and then click OK.

  9. If you do not need to create and issue any more certificate, close Certification Authority.

Configuring Autoenrollment of the Workstation Authentication Template by Using Group Policy

This procedure configures Group Policy to autoenroll the client certificate on computers.

To configure autoenrollment of the workstation authentication template by using Group Policy

  1. On the domain controller, click Start, click Administrative Tools, and then click Group Policy Management.

  2. Navigate to your domain, right-click the domain, and then select Create a GPO in this domain, and Link it here.

    noteNote
    This step uses the best practice of creating a new Group Policy for custom settings rather than editing the Default Domain Policy that is installed with Active Directory Domain Services. By assigning this Group Policy at the domain level, you will apply it to all computers in the domain. However, on a production environment, you can restrict the autoenrollment so that it enrolls on only selected computers by assigning the Group Policy at an organizational unit level, or you can filter the domain Group Policy with a security group so that it applies only to the computers in the group. If you restrict autoenrollment, remember to include the server that is configured as the management point.

  3. In the New GPO dialog box, enter a name for the new Group Policy, such as Autoenroll Certificates, and click OK.

  4. In the results pane, on the Linked Group Policy Objects tab, right-click the new Group Policy, and then click Edit.

  5. In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings / Security Settings / Public Key Policies.

  6. Right-click the object type named Certificate Services Client – Auto-enrollment, and then click Properties.

  7. From the Configuration Model drop-down list, select Enabled, select Renew expired certificates, update pending certificates, and remove revoked certificates, select Update certificates that use certificate templates, and then click OK.

  8. Close Group Policy Management.

Automatically Enrolling the Workstation Authentication Certificate and Verifying Its Installation on Computers

This procedure installs the client certificate on computers and verifies the installation.

To automatically enroll the workstation authentication certificate and verify its installation on the client computer

  1. Restart the workstation computer, and wait a few minutes before logging on.

    noteNote
    Restarting a computer is the most reliable method of ensuring success with certificate autoenrollment.

  2. Log on with an account that has administrative privileges.

  3. In the search box, type mmc.exe., and then press Enter.

  4. In the empty management console, click File, and then click Add/Remove Snap-in.

  5. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.

  6. In the Certificate snap-in dialog box, select Computer account, and then click Next.

  7. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish.

  8. In the Add or Remove Snap-ins dialog box, click OK.

  9. In the console, expand Certificates (Local Computer), expand Personal, and then click Certificates.

  10. In the results pane, confirm that a certificate is displayed that has Client Authentication displayed in the Intended Purpose column, and that ConfigMgr Client Certificate is displayed in the Certificate Template column.

  11. Close Certificates (Local Computer).

  12. Repeat steps 1 through 11 for the member server to verify that the server that will be configured as the management point also has a client certificate.

The computer is now provisioned with a Configuration Manager 2012 client certificate.

Deploying the Enrollment Certificate for Mobile Devices

This certificate deployment has a single procedure to create and issue the enrollment certificate template on the certification authority.

Creating and Issuing the Enrollment Certificate Template on the Certification Authority

This procedure creates an enrollment certificate template for Configuration Manager 2012 mobile devices and adds it to the certification authority.

To create and issue the enrollment certificate template on the certification authority

  1. Create a security group that contains users who will enroll mobile devices in Configuration Manager 2012.

  2. On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.

  3. In the results pane, right-click the entry that displays Authenticated Session in the column Template Display Name, and then click Duplicate Template.

  4. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.

    ImportantImportant
    Do not select Windows 2008 Server, Enterprise Edition.

  5. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the enrollment certificates for the mobile devices to be managed by Configuration Manager, such as ConfigMgr Mobile Device Enrollment Certificate.

  6. Click the Subject Name tab, make sure that Build from this Active Directory information is selected, select Common name for the Subject name format: and clear User principal name (UPN) from Include this information in alternate subject name.

  7. Click the Security tab, select the security group that contains users who have mobile devices to enroll, and select the additional permission of Enroll. Do not clear Read.

  8. Click OK and close Certificate Templates Console.

  9. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  10. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Mobile Device Enrollment Certificate, and then click OK.

  11. If you do not need to create and issue any more certificate, close the Certification Authority console.

The mobile device enrollment certificate template is now ready to be selected when you configure a mobile device enrollment profile in the client settings.

Deploying the Certificates for AMT

This certificate deployment has the following procedures:

  • Creating, Issuing, and Installing the AMT provisioning certificate

  • Creating and Issuing the Web Server Certificate for AMT-Based Computers

  • Creating and Issuing the Client Authentication Certificates for 802.1X AMT-Based Computers

Creating, Issuing, and Installing the AMT Provisioning Certificate

Create the provisioning certificate with your internal CA when the AMT-based computers are configured with the certificate thumbprint of your internal root CA. When this is not the case and you must use an external certification authority, use the instructions from the company issuing the AMT provisioning certificate, which will often involve requesting the certificate from the company’s public Web site. You might also find detailed instructions for your chosen external CA on the Intel vPro Expert Center: Microsoft vPro Manageability Web site ().

ImportantImportant
External CAs might not support the Intel AMT provisioning object identifier. When this is the case, use the alternative method of supplying the OU attribute of Intel(R) Client Setup Certificate.

When you request an AMT provisioning certificate from an external CA, install the certificate into the Computer Personal certificate store on the member server that will host the out of band service point.

To request and issue the AMT provisioning certificate

  1. Create a security group that contains the computer accounts of site system servers that will run the out of band service point.

  2. On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates console.

  3. In the results pane, right-click the entry that displays Web Server in the Template Display Name column, and then click Duplicate Template.

  4. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.

    ImportantImportant
    Do not select Windows 2008 Server, Enterprise Edition.

  5. In the Properties of New Template dialog box, on the General tab, enter a template name for the AMT provisioning certificate template, such as ConfigMgr AMT Provisioning.

  6. Click the Subject Name tab, select Build from this Active Directory information, and then select Common name.

  7. Click the Extensions tab, make sure Application Policies is selected, and then click Edit.

  8. In the Edit Application Policies Extension dialog box, click Add.

  9. In the Add Application Policy dialog box, click New.

  10. In the New Application Policy dialog box, type AMT Provisioning in the Name field, and then type the following number for the Object identifier: 2.16.840.1.113741.1.2.3.

  11. Click OK, and then click OK in the Add Application Policy dialog box.

  12. Click OK in the Edit Application Policies Extension dialog box.

  13. In the Properties of New Template dialog box, you should now see the following listed as the Application Policies description: Server Authentication and AMT Provisioning.

  14. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.

  15. Click Add, enter the name of a security group that contains the computer account for the out of band service point site system role, and then click OK.

  16. Select the Enroll permission for this group, and do not clear the Read permission..

  17. Click OK, and close the Certificate Templates console.

  18. In Certification Authority, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  19. In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr AMT Provisioning, and then click OK.

    noteNote
    If you cannot complete steps 18 or 19, check that you are using the Enterprise Edition of Windows Server 2008. Although you can configure templates with Windows Server Standard Edition and Certificate Services, you cannot deploy certificates using modified certificate templates unless you are using the Enterprise Edition of Windows Server 2008.

  20. Do not close Certification Authority.

The AMT provisioning certificate from your internal CA is now ready to be installed on the band service point computer.

To install the AMT provisioning certificate

  1. Restart the member server that runs IIS, to ensure it can access the certificate template with the configured permission.

  2. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in.

  3. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.

  4. In the Certificate snap-in dialog box, select Computer account, and then click Next.

  5. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish.

  6. In the Add or Remove Snap-ins dialog box, click OK.

  7. In the console, expand Certificates (Local Computer), and then click Personal.

  8. Right-click Certificates, click All Tasks, and then click Request New Certificate.

  9. On the Before You Begin page, click Next.

  10. If you see the Select Certificate Enrollment Policy page, click Next.

  11. On the Request Certificates page, select AMT Provisioning from the list of displayed certificates, and then click Enroll.

  12. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish.

  13. Close Certificates (Local Computer).

The AMT provisioning certificate from your internal CA is now installed and is ready to be selected in the out of band service point properties.

Creating and Issuing the Web Server Certificate for AMT-Based Computers

Use the following procedure to prepare the web server certificates for AMT-based computers.

To create and issue the Web server certificate template

  1. Create an empty security group to contain the AMT computer accounts that Configuration Manager 2012 creates during AMT provisioning.

  2. On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates console.

  3. In the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template.

  4. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.

    ImportantImportant
    Do not select Windows 2008 Server, Enterprise Edition.

  5. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the web certificates that will be used for out of band management on AMT computers, such as ConfigMgr AMT Web Server Certificate.

  6. Click the Subject Name tab, click Build from this Active Directory information, select Common name for the Subject name format, and then clear User principal name (UPN) for the alternative subject name.

  7. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.

  8. Click Add and enter the name of the security group that you created for AMT provisioning. Then click OK.

  9. Select the following Allow permissions for this security group: Read and Enroll.

  10. Click OK, and close the Certificate Templates console.

  11. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  12. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr AMT Web Server Certificate, and then click OK.

  13. If you do not need to create and issue any more certificates, close Certification Authority.

The AMT Web server template is now ready to provision AMT-based computers with web server certificates. Select this certificate template in the out of band management component properties.

Creating and Issuing the Client Authentication Certificates for 802.1X AMT-Based Computers

Use the following procedure if AMT-based computers will use client certificates for 802.1X authenticated wired or wireless networks.

To create and issue the client authentication certificate template on the CA

  1. On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates console.

  2. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.

    ImportantImportant
    Do not select Windows 2008 Server, Enterprise Edition.

  3. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client certificates that will be used for out of band management on AMT computers, such as ConfigMgr AMT 802.1X Client Authentication Certificate.

  4. Click the Subject Name tab, click Build from this Active Directory information and select Common name for the Subject name format. Clear DNS name for the alternative subject name, and then select User principal name (UPN).

  5. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.

  6. Click Add and enter the name of the security group that you will specify in the out of band management component properties, to contain the computer accounts of the AMT-based computers. Then click OK.

  7. Select the following Allow permissions for this security group: Read and Enroll.

  8. Click OK, and close the Certificate Templates management console, certtmpl – [Certificate Templates].

  9. In the Certification Authority management console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  10. In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr AMT 802.1X Client Authentication Certificate, and then click OK.

  11. If you do not need to create and issue any more certificate, close Certification Authority.

The client authentication certificate template is now ready to issue certificates to AMT-based computers that can be used for 802.1X client authentication. Select this certificate template in the out of band management component properties.

See Also