Site systems that run IIS and that are configured for HTTPS client connections:

• Management point
  
  
• Distribution point
  
  
• Software update point
  
  
• State migration point
  
  
• Mobile device and AMT enrollment point
  
  
• Mobile device enrollment proxy point
  
  
• Application Catalog web service point
  
  
• Application Catalog website point
  
  

Server authentication

Web Server

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1).

If the site system accepts connections from the Internet, the Subject Name or Subject Alternative Name must contain the Internet fully qualified domain name (FQDN).

If the site system accepts connections from the intranet, the Subject Name or Subject Alternative Name must contain either the intranet FQDN (recommended) or the computer's name, depending on how the site system is configured.

If the site system accepts connections from both the Internet and the intranet, both the Internet FQDN and the intranet FQDN (or computer name) must be specified using the ampersand (&) symbol delimiter between the two names.

Important
When the software update point accepts client connections from the Internet only, the certificate must contain both the Internet FQDN and the intranet FQDN.

Configuration Manager does not specify a maximum supported key length for this certificate. Consult your PKI and IIS documentation for any key-size–related issues for this certificate.

This certificate must reside in the Personal store in the Computer certificate store.

This web server certificate is used to authenticate these servers to the client and to encrypt all data transferred between the client and these servers using Secure Sockets Layer (SSL).

Network Load Balancing (NLB) cluster for a management point or a software update point

Server authentication

Web server

1. The FQDN of the NLB cluster in the Subject Name field, or Subject Alternative Name field:
   
   
   • For network load balancing servers that support Internet-based client management, this will be the Internet NLB FQDN.
     
     
   • For network load balancing servers that support intranet clients, this will be the intranet NLB FQDN.
     
     
2. The computer name of the site system in the NLB cluster in the Subject Name field or Subject Alternative Name field. This server name must be specified after the NLB cluster name and the ampersand (&) symbol delimiter:
   
   
   • For site systems on the intranet, this will be the intranet FQDN if specified (recommended) or the computer NetBIOS name.
     
     
   • For site systems supporting Internet-based client management, this will be the Internet FQDN.
     
     

This certificate is used to authenticate the network load balancing management point or the network load balancing software update point to the client, and to encrypt all data transferred between the client and these servers by using SSL.

Site system monitoring for the following site system roles:

• Management point
  
  
• State migration point
  
  
• Mobile device and AMT enrollment point
  
  
• Mobile device enrollment proxy point
  
  
• Application Catalog web service point
  
  
• Application Catalog website point
  
  

Client authentication

Workstation Authentication

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

Computers must have a unique value in the Subject Name field or in the Subject Alternative Name field.

Note
If you are using multiple values for the Subject Alternative Name, only the first will be used.

Maximum supported key length is 2048 bits.

This certificate is required on the following site system servers, even if the Configuration Manager 2012 client is not installed on these site systems, so that the health of these roles can be monitored and reported to the site :

• Management point
  
  
• State migration point
  
  

The certificate for these site systems must reside in the Personal store of the Computer certificate store.

Out of band service point

AMT Provisioning

Web Server (modified)

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1) and the following object identifier: 2.16.840.1.113741.1.2.3.

The subject name field must contain the FQDN of the server hosting the out of band service point.

Note

If you request an AMT provisioning certificate from an external CA rather than from your own internal CA and it does not support the AMT provisioning object identifier of 2.16.840.1.113741.1.2.3, you can alternatively specify the following text string as an OU attribute in the certificate subject name: Intel(R) Client Setup Certificate. This exact text string in English must be used, in the same case, without a trailing period, and in addition to the FQDN of the server hosting the out of band service point.

SHA-1 is the only supported hash algorithm.

Supported key lengths: 1024, 1536, and 2048 bits.

This certificate resides in the Personal store in the Computer certificate store of the out of band service point site system server.

This AMT provisioning certificate is used to prepare computers for out of band management.

You must request this certificate from a CA that supplies AMT provisioning certificates, and the BIOS extension for the AMT-based computers must be configured with the root certificate thumbprint (also referred to as the certificate hash) for this provisioning certificate.

VeriSign is a typical example of an external CA that provides AMT provisioning certificates, but you can also use your own internal CA.

Install the certificate on the server that hosts the out of band service point, which must be able to chain successfully to the certificate's root CA. (The root CA certificate and intermediate CA certificate for VeriSign are installed by default with Windows.)

Client computers

Client authentication

Workstation Authentication

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

Client computers must have a unique value in the Subject Name field or in the Subject Alternative Name field.

Note
If you are using multiple values for the Subject Alternative Name, only the first will be used.

Maximum supported key length is 2048 bits.

By default, Configuration Manager looks for computer certificates in the Personal store in the Computer certificate store.

With the exception of the software update point and the Application Catalog website point, this certificate authenticates the client to site system servers that run IIS and that are configured to use HTTPS.

Mobile device clients

Client authentication

Authenticated Session

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

SHA-1 is the only supported hash algorithm.

Maximum supported key length is 2048 bits.

Important
These certificates must be in Distinguished Encoding Rules (DER) encoded binary X.509 format. Base64 encoded X.509 format is not supported.

This certificate authenticates the mobile device client to the site system servers that it communicates with, such as management points and distribution points.

Operating system deployment

Client authentication

Workstation Authentication

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

Unique value in the Subject Name.

Maximum supported key length is 2048 bits.

The certificate is used if task sequences in the operating system deployment process include client actions such as client policy retrieval or sending inventory information.

The client certificate must be exported in a Public Key Certificate Standard (PKCS #12) format, and the password must be known so that it can be imported into Configuration Manager boot images or supplied by the PXE service point. These certificates are used for the duration of the operating system deployment process only and are not installed on the client. Because of this temporary use, the same certificate can be used for every operating system deployment if you do not want to use multiple client certificates.

PKCS #12 files have a .PFX extension.

Root certification authority certificates for the following scenarios:

• Operating system deployment
  
  
• Mobile device enrollment
  
  
• RADIUS server authentication for AMT-based computers
  
  

Certificate chain to a trusted source

Not applicable.

Standard root certification authority certificate.

The root certification authority certificate must be provided when clients need to chain the certificates of the communicating server to a trusted source. This applies in the following scenarios:

• When you deploy an operating system and task sequences run that connect the client computer to a management point that is configured to use HTTPS.
  
  
• When you enroll a mobile device to be managed by Configuration Manager 2012.
  
  
• When you use 802.1X authentication for AMT-based computers and you want to specify a file for the RADIUS server’s root certificate.
  
  

Intel AMT-based computers

Server authentication.

Web Server (modified)

The Subject Name must be configured for Build from this Active Directory information, and then select Common name for the Subject name format.

You must grant Read and Enroll permissions to the universal security group that you specify in the out of band management component properties.

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1).

The Subject Name must contain the FQDN of the AMT-based computer, which is supplied automatically from Active Directory Domain Services.

SHA-1 is the only supported hash algorithm.

Maximum supported key length: 2048 bits.

This certificate resides in the nonvolatile random access memory of the management controller in the computer and is not visible from Windows.

The out of band service point requests this certificate for each AMT-based computer it provisions. The out of band service point also revokes the certificate that it issued when AMT provisioning information is removed for AMT-based computers.

When this certificate is installed on AMT-based computers, the certificate chain to the root CA is also installed. AMT-based computers cannot support CA certificates with a key length greater than 2048 bits.

After the certificate is installed on AMT-based computers, this certificate authenticates the AMT-based computers to the out of band service point site system server and to computers running the out of band management console, and encrypts all data transferred between them using Transport Layer Security (TLS).

Intel AMT 802.1X client certificate

Client authentication

Workstation Authentication

The Subject Name must be configured for Build from this Active Directory information, and then select Common name for the Subject name format, clear DNS name and select User principal name (UPN) for the alternative subject name.

You must grant the universal security group that you specify in the out of band management component properties Read and Enroll permissions to this certificate template.

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

The subject name field must contain the FQDN of the AMT-based computer and the subject alternative name must contain the UPN.

Maximum supported key length: 2048 bits.

This certificate resides in the nonvolatile random access memory of the management controller in the computer and is not visible from Windows.

The out of band service point requests this certificate for each AMT-based computer it provisions and subsequently updates. The out of band service point does not revoke this certificate when AMT provisioning information is removed for AMT-based computers.

After the certificate is installed on AMT-based computers, this certificate authenticates the AMT-based computers to the RADIUS server so that it can then be authorized for network access.