The Configuration Manager 2007 site server's signing certificate is required to sign all client policies in native mode. The creation and deployment of this certificate is external to Configuration Manager 2007 and requires integration with a public key infrastructure (PKI) deployment. Before you can select the site server signing certificate in Configuration Manager 2007, the certificate must be in the certificate store of the site server.

You will need to select the site server signing certificate when you migrate the site to native mode, or if you need to specify a new certificate, for example, if the existing site server signing certificate is about to expire. If you are selecting a new certificate from a different certification authority than the site was configured to use previously, see the topic Renewing or Changing the Site Server Signing Certificate.

The site server signing certificate must be configured directly on each primary site database. You cannot configure the site mode for a child primary site from a parent primary site because the certificate cannot be validated correctly in this scenario.

Follow this procedure to specify the site server signing certificate.

Ensure that all the required PKI certificates are in place before specifying the site server signing certificate. If any certificates are missing or invalid, all clients might become unmanaged. For more information about the required certificates, see Certificate Requirements for Native Mode.

To configure the site server with its site server signing certificate:

  1. Open the Configuration Manager console in the primary site in which you need to configure the site server signing certificate, and navigate to System Center Configuration Manager / Site Database / Site Management.

  2. Right-click <site code> - <site code> and then click Properties.

  3. On the Site Mode tab in the site properties dialog box, select Native for the Site mode option, if it is not already selected.

  4. In the Site server signing certificate section, click Browse.

  5. In the Available Certificates dialog box, select the site server signing certificate which has the following values:

    • The site code of this site server is  <site code> in the field Issued to, where <site code> displays the site code for this site.

    • Document Signing displayed in the field Intended Purpose.

  6. Click OK to select the certificate and return to the Site Mode tab.

  7. The friendly name of the certificate now appears in the Certificate box, which indicates that validation of the certificate was successful.

  8. If you are unable to browse to the certificate store, and you have the thumbprint of the site server signing certificate, enter it into the Thumbprint text box.

    If you can browse to the site server's certificate store, it is highly recommended you browse for the certificate so that Configuration Manager 2007 can validate the certificate. Only if you are unable to browse the site server's certificate store, and have the certificate thumbprint, should you manually enter the certificate thumbprint. Reasons why you cannot browse to the certificate store include not having local administrator rights on the site server computer, or a temporary network failure. However, it is also possible that the certificate has not yet been installed, but you want to specify it here in advance.
  9. Click OK, which invokes validation of the certificate. If you have not selected a certificate or entered a certificate thumbprint, you will not be able to save your changes. If you have entered a thumbprint which cannot be mapped to a friendly name, you will see a warning message that the thumbprint could not be validated and ask if you want to proceed.

    For more information about the options in this dialog box, see Site Properties: Site Mode Tab.

See Also