When the Configuration Manager 2007 site is operating in native mode, operating system deployment clients require root certification authority certificates for the certification authorities used with Configuration Management.

If all the computers in the Configuration Manager 2007 primary site (and any secondary sites) use certificates from the same certification authority, you need to specify a single root certification authority certificate. However, if more than one certification authority is used, you must specify a root certification authority certificate for each certification authority that is used by clients, and the following site systems:

Before you can specify the root certification authority certificates in Configuration Manager, you must first prepare the root certification authority certificates by exporting them to a file.

Follow these procedures to prepare the root certification authority certificates by exporting them to a file.

To prepare root certification authority certificates by exporting them to a file - from computers running Windows Vista

  1. On a computer that has the root certification authority certificates installed, log on as a local administrator and click Start, type MMC into the search box and press Enter. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

  2. In the empty console, click File and then click Add/Remove Snap-in.

  3. In the Add/Remove Snap-in dialog box, select certificates and click Add.

  4. On the Certificates snap-in page, select Computer Account and then click Next.

  5. In the Select Computer dialog box, ensure the option Local computer: (the computer this console is running on) is selected and then click Finish.

  6. In the Add Standalone Snap-in dialog box, click OK to close the Add or Remove Snap-ins dialog box.

  7. In the console, expand Certificates (Local Computer) and then expand Trusted Root Certification Authorities.

  8. Double-click Certificates to expand the certificate store. Locate the first trusted root certificate you need for operating system deployment clients.

  9. Right-click the certificate you require, select All Tasks, and then click Export to launch the Certificates Export Wizard.

  10. In the Certificate Export Wizard, click Next.

  11. On the Export File Format page, ensure DER encoded binary X.509 (.CER) is selected and then click Next.

  12. On the File to Export page, specify a path and file name for the exported certificate and then click Next.

  13. On the Completing the Certificate Export Wizard page, click Finish.

  14. To confirm the successful certificate export, click OK in the Certificate Export Wizard dialog box.

  15. If operating system clients are not using the same root certification authority, repeat steps 10 through 15 until you have exported each root certification authority certificate you require to individual files.

    Note
    Configuration Manager 2007 does not support importing multiple root certification authority certificates in the same file, and it supports only the DER encoded binary X.509 (.CER) format.
  16. Store the file securely where you can access it from the Configuration Manager site properties, Site Mode tab.

To prepare root certification authority certificates by exporting them to a file- from computers running Windows XP Professional, or Windows Server 2003

  1. On a computer that has the root certification authority certificates installed, click Start, click Run, type MMC in the Run dialog box, and then click OK.

  2. In the empty console, click File and then click Add/Remove Snap-in.

  3. In the Add/Remove Snap-in dialog box, click Add.

  4. In the Add Standalone Snap-in dialog box, select Certificates and then click Next.

  5. In the Select Computer dialog box, ensure the option Local computer: (the computer this console is running on) is selected and then click Finish.

  6. In the Add Standalone Snap-in dialog box, click Close.

  7. In the Add/Remove Snap-in dialog box, click OK.

  8. In the console, expand Certificates (Local Computer) and then expand Trusted Root Certification Authorities.

  9. Click Certificates, and then in the details pane, locate the first trusted root certificate you need for operating system deployment clients.

  10. Right-click the certificate you require, click All Tasks, and then click Export.

  11. In the Certificate Export Wizard, click Next.

  12. On the Export File Format page, ensure DER encoded binary X.509 (.CER) is selected and then click Next.

  13. In the File to Export page, specify a path and file name for the exported certificate and then click Next.

  14. On the Completing the Certificate Export Wizard page, click Finish.

  15. To close the wizard, click OK in the Certificate Export Wizard dialog box.

  16. If operating system clients are not using the same root certification authority, repeat steps 10 through 15 until you have exported each root certification authority certificate you require to individual files.

    Note
    Configuration Manager 2007 does not support importing multiple root certification authority certificates in the same file, and it supports only the DER encoded binary X.509 (.CER) format.
  17. Store the file securely where you can access it from the Configuration Manager site properties, Site Mode tab.

See Also