Confirm your PKI can support the various certificates required by Configuration Manager 2007.

Certificate Requirements for Native Mode

Ensure the following computers in the Configuration Manager 2007 site have a trusted root certification authority in common and intermediate certification authorities as needed:

• The site server.
  
  
• Management points (the default management point, proxy management point, Internet-based management point, network load balanced management points).
  
  
• Distribution points.
  
  
• Software update points.
  
  
• State migration points.
  
  
• All client computers and mobile client devices.
  
  

Note

Distribution points that are not configured with the option Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS, as well as branch distribution points, do not use Internet Information Services (IIS) and therefore do not require certificates. These site systems use server message blocks (SMB) as their data transfer method and cannot be secured by using native mode communication.

Deploying a Trusted Root Certification Authority to Configuration Manager Computers

Deploying the Intermediate Certification Authority Certificates to Configuration Manager Computers

If you will use a Certificate Revocation List (CRL), publish it where all computers can locate it.

Certificate revocation checking is enabled by default for Configuration Manager clients, but it can be disabled. For more information, see Determine Whether You Need to Enable Certificate Revocation Checking (CRL) On Clients (Native Mode).

Certificate revocation checking is enabled by default with IIS and cannot be disabled with Configuration Manager. Ensure that native mode site systems can connect to a CRL distribution point that is listed in their site system certificate.

Note
For more information about CRL distribution points (CDPs), see the following Windows PKI information about configuring CDP and AIA extensions: http://go.microsoft.com/fwlink/?LinkId=103608.

Deploy the site server signing certificate to the site server, and determine how clients will retrieve it.

Deploying the Site Server Signing Certificate to the Site Server

Decide How to Deploy the Site Server Signing Certificate to Clients (Native Mode)

Deploy the Web server certificates to the following site systems, and then configure IIS with the certificate:

• Management points (the default management point, proxy management point, Internet-based management point, network load balanced management points).
  
  
• Distribution points.
  
  
• Software update points.
  
  
• State migration points.
  
  

Deploying the Web Server Certificates to Site System Servers

Optional but recommended: On the site systems with the deployed Web server certificates, create or modify a certificate trust list (CTL) in IIS to contain the root certification authorities used by clients.

Determine If You Need to Configure a Certificate Trust List (CTL) with IIS (Native Mode)

Deploy client certificates to clients and management points.

Deploying the Client Computer Certificates to Clients and the Management Point

If you have mobile client devices, deploy the client device certificates.

Deploying Certificates to Mobile Device Clients

If you are using the operating system deployment feature, perform the following tasks:

1. Export root certification authority certificates that operating system clients will use during the deployment process so that these can be imported into the Configuration Management console as a site setting.
   
   
2. Prepare and export one or more client certificates into a PKCS #12 file so that these can be included in the operating system deployment.
   
   

How to Prepare the Root Certification Authority Certificates for Operating System Deployment Clients

How to Specify the Root Certification Authority Certificates for Operating System Deployment Clients

How to Export Certificates For Use With Operating System Deployment