The Configuration Manager 2007 site server uses the site server signing certificate in native mode to sign policies that are downloaded by clients from the management point. To verify the signature, clients require a copy of this certificate. After clients receive the certificate, it is stored in the client registry and used whenever new policies are sent from the management point.

Note
The site server signing certificate is not stored in the Certificate store on clients; instead, it is stored in a protected area of the registry.

There are three methods to deploy the site server signing certificate to client computers:

The recommended solution is to deploy the site server signing certificate to client computers through Active Directory Domain Services, because this method does not require any additional administration and the certificate is stored in a secured location independently from Configuration Manager 2007. However, this method has the following prerequisites:

If clients cannot retrieve a copy of the site server signing certificate from Active Directory Domain Services, consider deploying it to these clients with the client setup utility, CCMSetup.exe, using the client.msi parameter SMSSIGNCERT with the path and filename of the exported certificate. The disadvantage of this method is that it requires more administrative overhead, which might need to be repeated if the site server signing certificate changes or is renewed. For more information about CCMSetup options, see About Configuration Manager Client Installation Properties. For procedural information to export the certificate, see How to Export the Site Server Signing Certificate for Configuration Manager Client Installation.

If a copy of the site server signing certificate is not already installed on Configuration Manager 2007 clients when they connect to their management point and they cannot locate it from Active Directory Domain Services, the management point will automatically download it so that clients can verify the signed policies.

Of the three solutions, automatically deploying it with the management point is the least secure solution and should not be used if you have any doubts about the security of your management point. For example, a management point that resides in a perimeter network to accept connections from the Internet for Internet-based client management is considered less secure than a management point within your intranet that accepts only connections from intranet clients. However, automatically deploying a copy of the site server signing certificate through the management point might be an appropriate solution if the management point accepts only connections from intranet clients and you do not want the administrative overhead of manual deployment.

Choose the deployment method that best meets your business requirements. To help you determine how to deploy to clients a copy of the site server signing certificate, use the following guidelines.

Use Active Directory Domain Services to automatically deploy a copy of the site server signing certificate when all of the following conditions apply:

Manually deploy a copy of the site server signing certificate if any of the following conditions apply:

Automatically deploy a copy of the site server signing certificate using the management point if all of the following conditions apply:

See Also