The Configuration Manager 2007 site server uses the site server signing certificate in native mode to sign policies that are downloaded by clients from the management point. To verify the signature, clients require a copy of this certificate. After clients receive the certificate, it is stored in the client registry and used whenever new policies are sent from the management point.
 Note |
|---|
| The site server signing certificate is not stored in the Certificate store on clients; instead, it is stored in a protected area of the registry. |
There are three methods to deploy the site server signing certificate to client computers:
- Automatically through Active Directory Domain
Services.
- Manually when the client is installed.
- Automatically from the management point.
The recommended solution is to deploy the site server signing certificate to client computers through Active Directory Domain Services, because this method does not require any additional administration and the certificate is stored in a secured location independently from Configuration Manager 2007. However, this method has the following prerequisites:
- The Active Directory schema is extended for
Configuration Manager 2007.
- The site is published to Active Directory
Domain Services.
- Clients can locate the published site
information in Active Directory Domain Services.
NoteClients that cannot read published information include computers from another Active Directory forest, clients from workgroup computers, and clients that are managed from the Internet.
If clients cannot retrieve a copy of the site server signing certificate from Active Directory Domain Services, consider deploying it to these clients with the client setup utility, CCMSetup.exe, using the client.msi parameter SMSSIGNCERT with the path and filename of the exported certificate. The disadvantage of this method is that it requires more administrative overhead, which might need to be repeated if the site server signing certificate changes or is renewed. For more information about CCMSetup options, see About Configuration Manager Client Installation Properties. For procedural information to export the certificate, see How to Export the Site Server Signing Certificate for Configuration Manager Client Installation.
If a copy of the site server signing certificate is not already installed on Configuration Manager 2007 clients when they connect to their management point and they cannot locate it from Active Directory Domain Services, the management point will automatically download it so that clients can verify the signed policies.
Of the three solutions, automatically deploying it with the management point is the least secure solution and should not be used if you have any doubts about the security of your management point. For example, a management point that resides in a perimeter network to accept connections from the Internet for Internet-based client management is considered less secure than a management point within your intranet that accepts only connections from intranet clients. However, automatically deploying a copy of the site server signing certificate through the management point might be an appropriate solution if the management point accepts only connections from intranet clients and you do not want the administrative overhead of manual deployment.
Choose the deployment method that best meets your business requirements. To help you determine how to deploy to clients a copy of the site server signing certificate, use the following guidelines.
Use Active Directory Domain Services to automatically deploy a copy of the site server signing certificate when all of the following conditions apply:
- Active Directory Domain Services is extended
with Configuration Manager 2007 schema extensions, and the site is
published to Active Directory Domain Services.
- Clients can read the published site
information, which excludes clients from untrusted domains, clients
from workgroups, and clients on the Internet.
Manually deploy a copy of the site server signing certificate if any of the following conditions apply:
- You cannot use Active Directory Domain
Services to deploy a copy of the site server signing
certificate.
- Clients connect to a management point that is
configured for Internet-based client management.
- The security risk of automatically installing
a copy of the site server signing certificate from the management
point outweighs the additional administrative overhead of manual
deployment.
Automatically deploy a copy of the site server signing certificate using the management point if all of the following conditions apply:
- You cannot use Active Directory Domain
Services to deploy a copy of the site server signing
certificate.
- The management point is secured within your
intranet and is not configured for Internet-based client
management.
- The administrative overhead of manual
deployment outweigh the security risk of automatically installing a
copy of the site server signing certificate from the management
point.