When the Configuration Manager 2007 site is operating in native mode, operating system deployments that require communication with the management point must be configured to use a public key infrastructure (PKI) certificate. For more information about the certificate requirements for operating system deployment, see About Native Mode Certificates and Operating System Deployment.

To configure the operating system deployments with the required certificate, import a Public Key Certificate Standard (PKCS #12) file. The creation of this file is external to Configuration Manager 2007; however, you can use the following procedures to create this file.

Before following these procedures, the certificate must already be deployed to a computer. The certificate requirements are as follows:

For more information about how to deploy computer certificates for Configuration Manager native mode communication, see Deploying the Client Computer Certificates to Clients and the Management Point.

Important
The computer certificate required for operating system deployments is not the same computer certificate that will be required for Configuration Manager 2007 clients in a native mode site.

Considerations for creating and deploying the certificate for operating system deployments:

When the certificate is deployed to a computer, you can then use the following procedures to export the certificate so that you can use it with operating system deployments. If you are using a PXE service point, import the exported certificate as part of the database configuration properties. If you are creating boot media, import the exported certificate on the Security page of the Task Sequence Media wizard.

To export a certificate for use with operating system deployment - from a computer running Windows 7 or Windows Vista

  1. On the Windows 7 or Windows Vista computer that has the certificate installed, log in as a local administrator, click Start, type mmc into the Search box, and then press ENTER.

  2. In the empty console, click File, and then click Add/Remove Snap-in.

  3. In the Add/Remove Snap-in dialog box, select Certificates, and then click Add.

  4. On the Certificates snap-in page, select Computer account, and then click Next.

  5. On the Select Computer dialog box, ensure the option Local computer: (the computer this console is running on) is selected, and then click Finish.

  6. To close the Add Standalone Snap-in dialog box, click OK.

  7. In the console, double-click Certificates (Local Computer).

  8. In the console, expand Personal.

  9. Locate the certificate to use with operating system deployment deployments.

  10. Right-click the certificate you require, click All Tasks, and then click Export to start the Certificate Export Wizard.

  11. On the Certificate Export Wizard Welcome page, click Next.

  12. On the Export Private Key page, select Yes, export the private key, and then click Next.

    Note
    If this option is not available, the certificate has been created without the option to export the private key. In this scenario, you cannot export the certificate in the required format.
  13. On the Export File Format page, ensure that the option Personal Information Exchange - PKCS #12 (.PFX) is selected.

    Note
    Optionally, select Delete the private key if the export is successful, which ensures that the certificate cannot be used on the computer after you have exported it. This will help to ensure that the certificate is used only for operating system deployments. Alternatively, you can manually delete the certificate on the computer after the export procedure is complete.
  14. On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next.

  15. On the File to Export page, specify the name of the file that you want to export, and then click Next.

  16. To close the wizard, click Finish in the Certificate Export Wizard dialog box.

  17. Store the file securely and ensure that you can access it from the Configuration Manager console.

To export a certificate for use with operating system deployment - from a computer running Windows XP Professional, or Windows Server 2003

  1. On the Windows XP Professional or Windows Server 2003 computer that has the certificate installed, click Start, click Run, type MMC in the Run dialog box, and then click OK.

  2. In the empty console, click File, and then click Add/Remove Snap-in.

  3. In the Add or Remove Snap-ins dialog box, click Add.

  4. Select Certificates from Available snap-ins, and then click Add.

  5. In the Certificates snap-in dialog box, click Computer account, and then click Next.

  6. In the Select Computer dialog box, ensure that the option Local computer: (the computer this console is running on) is selected, and then click Finish.

  7. In the Add or Remove Snap-ins dialog box, click OK.

  8. In the console, expand Certificates (Local Computer).

  9. Expand Personal, and then click Certificates.

  10. In the results pane, locate the certificate that you need for operating system deployments.

  11. Right-click the certificate that you require, click All Tasks, and then click Export.

  12. In the Certificate Export Wizard, click Next.

  13. On the Export Private Key page, select Yes, export the private key, and then click Next.

    Note
    If this option is not available, the certificate has been created without the option to export the private key. In this scenario, you cannot export the certificate in the required format.
  14. On the Export File Format page, ensure that the following option Personal Information Exchange - PKCS #12 (.PFX) is selected.

    Note
    Optionally, select Delete the private key if the export is successful, which ensures that the certificate cannot be used on the computer after you have exported it. This will help to ensure that the certificate is used only for operating system deployments. Alternatively, you can manually delete the certificate on the computer after the export procedure is complete.
  15. On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next.

  16. On the File to Export page, specify the name of the file you want to export and click Next.

  17. In the Certificate Export Wizard dialog box, click OK to close the wizard.

  18. Store the file securely and ensure that you can access it from the Configuration Manager console.

See Also