The public key infrastructure (PKI) certificates required for a Configuration Manager 2007 site to run in native mode are listed in the following tables. This information assumes basic knowledge of PKI certificates. For more information about PKI references and deployment topics, see Deploying the PKI Certificates Required for Native Mode.

When you are using a Microsoft PKI solution, the use of certificate templates can ease the management of these certificates. Template-based certificates can be issued only by an enterprise certification authority running on the Enterprise Edition or on the Datacenter Edition of Windows Server 2003 or Windows Server 2008. However, do not use version 3 templates (Windows Server 2008, Enterprise Edition). These certificate templates create certificates that are not compatible with Configuration Manager. To see how certificate templates can be used for deploying the certificates required by Configuration Manager in native mode, see the following:

Important
The certificates must be in place before the site can operate in native mode. Configuration Manager will attempt to validate the site server signing certificate when native mode is selected during setup or when the site is migrated to native mode after setup. However, Configuration Manager is unable to validate the other certificates that are required for native mode operation. You can manually run the Configuration Manager Native Mode Readiness Tool tool to verify whether client computers are ready for native mode. For more information about this tool, see How to Determine Whether Client Computers Are Ready for Native Mode.

Certificates Required for Native Mode

Configuration Manager Component Certificate Use Microsoft Certificate Template to Use Specific Information in Certificate How the Certificate Is Used in Configuration Manager

Primary site server

Document signing

There is no default template for document signing. You can use any version 2 (v2) template, removing the intended usages if these are not required and adding the document-signing capability.

Enhanced Key Usage value must contain Document Signing (1.3.6.1.4.1.311.10.3.12).

The Subject Name field must contain the following string: The site code of this site server is <XXX>. Replace <XXX> with the site code of the site server.

Note
This exact text string in English must be used, in the same case, without a trailing period, and the site code must be specified at the end of the string in the same case as it appears in the Configuration Manager console.

SHA-1 is the only supported hash algorithm.

Maximum supported key length is 8096 bits.

This certificate must reside in the Personal store in the Computer certificate store.

The site server signing certificate signs the policies that clients download from their management point so that clients know the policies originate from their assigned site.

This certificate is not required on secondary site servers.

Clients must have a copy of this certificate before they can accept policies signed with it. For more information, see Decide How to Deploy the Site Server Signing Certificate to Clients (Native Mode).

Site system roles:

Server authentication

Note
Management points and state migration points also require a certificate with client authentication capability, as detailed in the following row.

Web server

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1).

If the site system accepts connections from the Internet, the Subject Name or Subject Alternative Name must contain the Internet fully qualified domain name (FQDN).

If the site system accepts connections from the intranet, the Subject Name or Subject Alternative Name must contain either the intranet FQDN (recommended) or the computer's NetBIOS name, depending on how the site system is configured.

If the site system accepts connections from both the Internet and the intranet, both the Internet FQDN and the intranet FQDN (or computer NetBIOS name) must be specified using the ampersand (&) symbol delimiter between the two names.

Important
When the software update point accepts client connections from the Internet only, the certificate must contain both the Internet FQDN and the intranet FQDN.

SHA-1 is the only supported hash algorithm.

Configuration Manager does not specify a maximum supported key length for this certificate. Consult your PKI and IIS documentation for any key-size–related issues for this certificate.

This certificate must reside in the Personal store in the Computer certificate store.

This Web server certificate is used to authenticate these servers to the client and to encrypt all data transferred between the client and these servers using Secure Sockets Layer (SSL).

Client computers

Client authentication

Computer or Workstation

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

Client computers must have a unique value in the Subject Name field or in the Subject Alternative Name field (if you are using Microsoft certificate templates, the Subject Alternative Name is available with the workstation template only).

Note
If you are using multiple values for the Subject Alternative Name, only the first will be used.

SHA-1 is the only supported hash algorithm.

Maximum supported key length is 2048 bits.

By default, Configuration Manager looks for computer certificates in the Personal store in the Computer certificate store. To change this default, see How to Specify the Client Certificate Store.

This certificate authenticates the client to the following servers:

  • Management point

  • Proxy management point

  • Distribution point

  • State migration point

This certificate is also required on management points and state migration points, even if the Configuration Manager 2007 client is not installed on these site systems, so that the health of these roles can be monitored and reported to the site server. This certificate for these site systems must reside in the Personal store of the Computer certificate store.

Mobile device clients

Client Authentication

Authenticated session

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

SHA-1 is the only supported hash algorithm.

Maximum supported key length is 2048 bits.

Important
These certificates must be in Distinguished Encoding Rules (DER) encoded binary X.509 format. Base64 encoded X.509 format is not supported.

This certificate must reside in the Personal store.

This certificate authenticates the mobile device client to the following servers:

  • Mobile device management point

  • Mobile device proxy management point

  • Distribution point

Components Requiring Additional Certificates for Native Mode

You will need additional certificates if the native mode site supports the following optional components:

  • Network load balancing management points or network load balancing software update points.

  • Proxy servers for Internet-based client management.

  • The operating system deployment feature.

  • Mobile devices

The following sections provide information about the certificates that are required for each of these additional components.

Network Load Balancing Management Points or Network Load Balancing Software Update Points

If the site supports a network load balancing management point or a network load balancing software update point, there are additional certificate requirements, as listed in the following table.

Configuration Manager Component Certificate Use Microsoft Certificate Template to Use Specific Information in Certificate How the Certificate Is Used in Configuration Manager

Network Load Balancing (NLB) cluster for a management point or a software update point

Server authentication

Web server

  1. The FQDN of the NLB cluster in the Subject Name field, or Subject Alternative Name field:

    • For network load balancing servers that support Internet-based client management, this will be the Internet NLB FQDN.

    • For network load balancing servers that support intranet clients, this will be the intranet NLB FQDN.

  2. The computer name of the site system in the NLB cluster in the Subject Name field or Subject Alternative Name field. This server name must be specified after the NLB cluster name and the ampersand (&) symbol delimiter:

    • For site systems on the intranet, this will be the intranet FQDN if specified (recommended) or the computer NetBIOS name.

    • For site systems supporting Internet-based client management, this will be the Internet FQDN.

This certificate is used to authenticate the network load balancing management point or the network load balancing software update point to the client, and to encrypt all data transferred between the client and these servers using SSL.

Proxy Web Servers for Internet-Based Client Management

If the site supports Internet-based client management and you are using a proxy Web server with SSL termination (bridging) for incoming Internet connections, the proxy Web server has the certificate requirements listed in the following table.

Note
If you are using a proxy Web server without SSL termination (tunneling), no additional certificates are required on the proxy Web server.

For more information about using proxy Web servers for Internet-based client management, see Determine Requirements for Proxy Web Servers to Use With Internet-Based Client Management.

Network Infrastructure Component Certificate Use Microsoft Certificate Template to Use Specific Information in Certificate How the Certificate Is Used in Configuration Manager

Proxy Web server accepting client connections over the Internet

Server authentication and client authentication

  1. Web server

  2. Computer or Workstation

Internet FQDN in the Subject Name field or in the Subject Alternative Name field (if you are using Microsoft certificate templates, the Subject Alternative Name is available with the workstation template only).

This certificate is used to authenticate the following servers to Internet clients and to encrypt all data transferred between the client and this server using SSL:

  • Internet-based management point

  • Internet-based distribution point

  • Internet-based software update point

The client authentication is used to bridge client connections between the Configuration Manager 2007 clients and the Internet-based site systems.

Operating System Deployment Feature

If the site supports the operating system deployment feature, the certificates listed in the following table are required in addition to the server certificate and the client certificate required for the state migration point.

For more information about the certificates related to operating system deployment in a native mode site, see How to Manage Native Mode Certificates and Operating System Deployment.

Configuration Manager Component Certificate Use Microsoft Certificate Template to Use Specific Information in Certificate How the Certificate Is Used in Configuration Manager

Operating system client deployment, if client certificates are required to complete the deployment.

Client authentication

Computer or Workstation

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

Unique value in the Subject Name.

SHA-1 is the only supported hash algorithm.

Maximum supported key length is 2048 bits.

The certificate is used if task sequences in the operating system deployment process include client actions such as client policy retrieval or sending inventory information.

The client certificate must be exported in a Public Key Certificate Standard (PKCS #12) format, and the password must be known so that it can be imported into Configuration Manager boot images or supplied by the PXE service point. These certificates are used for the duration of the operating system deployment process only and are not installed on the client. Because of this temporary use, the same certificate can be used for every operating system deployment if you do not want to use multiple client certificates.

PKCS #12 files have a .PFX extension.

For more information:

Root certification authority certificates for operating system deployment clients.

Root authority for the site server's certificate and management point's server certificate.

Not applicable.

Standard root certification authority certificate.

The root certification authority certificate must be provided so that the client can communicate with the management point to complete the operating system deployment. Each primary site in native mode that uses the operating system deployment feature must be configured with root CA certificates. However, secondary sites will automatically use the root certification authority certificates specified on their primary site.

For more information:

Mobile Devices

For additional information about the certificates required for mobile devices, see About Native Mode Certificates for Mobile Device Clients.

Certificate Deployment Information

Refer to the following section for guidance on how to install the PKI certificates required for Configuration Manager 2007 native mode:

Use the following administrator workflow and checklist to guide you through the PKI deployment steps for the PKI certificates required for Configuration Manager 2007 native mode:

When the PKI certificates are deployed and you are ready to migrate a Configuration Manager 2007 mixed mode site to native mode, use the following administrator workflow and checklist:

See Also