Join David M. Franklyn for an in-depth discussion in this video Creating an enrollment certificate, part of Microsoft System Center Configuration Manager Essential Training.
- [Instructor] Now that we've made our certificate revocation list and published it, we need to create our Configuration Manager Enrollment Certificates. So, we're going to go back to the Certificate Authority. So, Server Manager, Tools, click Certificate Authority and load that up again. Let's maximize the screen and let's go ahead and expand our Certificate Authority and now go down to this folder in the console tree called Certificate Templates. We want to right click that and go to manage, which will bring up the Certificate Template window or console, so we can expand that.
So, this just shows all the Certificate Templates that are available to use for a wide variety of purposes. What we're going to do is we're going to take one of those and we're going to duplicate it so we can create our own very specific certificates. We're actually going to take several and duplicate them just for the purpose of integrating into Configuration Manager and being able to use these certificates on the websites, the site server roles and also for the clients. So we'll start out by going to the Authenticated Session certificate.
We're going to right click that, say duplicate certificate. So, in the certificate itself, when we go in the general page and we go to the name of it, it calls itself a copy of whatever we made. So, this one we want to call "ConfigMgrDevice", So, we're making the device certificate "ConfigMgrDevice" is now the name of this certificate. and it's pretty intuitive, so let us know what it's going to be for and now we want to make sure we publish the certificate in the active directory.
So, check that box. Now that we've published the certificate in the active directory, we can say, "OK" and now we're going to copy another certificate and this will be the web server certificate template. So, we're going to right click that and say "Duplicate Template" and again go to the "General" page and we're going to name this, again a very intuitive name, "ConfigMgrWebServer" and I use camel case just to make it a little easier to read. We're also going to publish this certificate in the active directory and then say "OK".
Now, we're going to go back to our device certificate, or our ConfigMgrDevice certificate, double click it to open it up and now we need to go to the Security tab of it and we just want to make sure it's added for the users that are going to be using it. So, we want to go to the authenticated users who right now have read access to it but we want them to be able to enroll. So, we click "Enroll," the "Enroll" permission in "Allow" and in the "Cryptography" tab, this is where we can set up the different keys using the key lengths to do various types of encryption and an encryption method that we can use.
We want to lower this from 2048 minimum key size to 1024. Now, of course, that's half but in doing so, this will allow clients that may be not as sophisticated as the latest newest thing that just got out to participate with the configuration requirements that we're providing. It is not a great compromise of security, just a little compromise in security. As time goes on and certificate breaking tools becomes more sophisticated, you may need to take a look at this but for the present time, at least with the devices we have, the majority of devices people will have, this is a good compromise.
In this case we're setting it to 1024 and that's it for the configuration of this. We're going to say, "OK" and now we're going to go the properties of the ConfigMgrWebServer certificate template we just made and in this case we want to go to the "Subject Name" tab and the Subject Name, we're going to say "Build from the Active Directory Information" and in the subject name format, we want to use a common name. Sometimes use to as "CN=" in the active directory, the common and we're going to use the User principle name, the UPN.
So, something like this for a server would be server name at and then the top level domain name. On the "Security" tab, we need to add and in this case we're going to add a computer account, so we need to select user's computer service accounts or groups, the object type. Check computer objects, say "OK" and the name of the computer in our case is going to be, one of our site servers, in this case specifically the northam site server. Check names and it's NORTHAM-CFG2.
Now that that's proper, we can say, "OK" and again, we want it to be able to enroll, so we click the "Enroll" under the "Allow" column and now say "OK." We have one more we're going to make and that is based off of the Workstation Authentication template. Which, again, is a default template. We're going to right click that and say, "Duplicate Template" and this is for the distribution point. It's going to be called "ConfigMgrClient" and it's for the client connecting to distribution point, DP.
Now, before we close that out, we need to go to the "Request Handling" tab and in "Request Handling" tab, we're going to tell it how to use this. We're going to allow the private key to be exported, so that those particular devices that we're adding this to, we can go to the domain controller and pull the certificate over or push it over to the distribution point and then add the public key there, so that the distribution point can talk directly to the clients and use its private key to decrypt any packets coming across from those clients out on the internet.
In the "Security" tab, we're going to add the computer account again, so it's a computer object, we go to "Object Types" and we select the computer obecjts, say "OK" and in the "Enter the object name to select", "northam," check names. There it is, say "OK" and we're going to say "Enroll" in the "Allow" column and that's it and say, "OK." Now that we have finished creating those three certificate templates, we can close the "Certificate Templates" console.
So, let's go ahead and do that. As you see, it just takes us back to the Certificate Authority or the Certificate Services and these templates have now actually been designated to be used within our infrastructure. We're just going to now add the three templates we just created. So, we can right click "Certificate Templates," Say "New" and "Certificate Template to Issue" and in this case we want to grab our certificates, all three of them, so we can hold the control key down.
ConfigMgrDP, select it, hold the control key down then and select ConfigMgrDevice and ConfigMgrWebServer. With just those three selected, I'll make sure they are the only three, we can say "OK" and now they're there and available to be used by our system. Now that that's done and we're finished with Certificate Services on the main controller, let's go over to our NORTHAM-CFG2 computer and set up the certificate for it to use.
So, here we are on NORHTAM-CFG2 and what we want to do now is go to the start screen, go to search and we're goin to type in "mmc." This just brings up an empty Microsoft Management console and the reason to do it is we want to bring up the certificate store for the computer account and this is the way we can get to it. So, in the empty console, we go to the file drop down menu and say, "Add/Remove Snap-In..." and the different things that we can control, the consoles we're used to are found here and specifically we're looking for the Certificates Console.
Now the one's we highlighted here from the available Snap-ins and click the "Add" button, it's going to ask us what scope the certificate is going to be used in. So, in this case it's a computer account that we want to use the certificate in. So, we're going to select that and click "Next" and it will be the local computer, that is NORTHAM-CFG2 and click "Finish." Now that we have certificates for the local computer in the snap in, we click "OK" and then expand the certificate and it's just like any other console.
It has all the stuff it has to have in it and in this case now, we need to expand personal and you see, we have a certificate already but we want to add a new certificate. Right click it and say "All Tasks" and "Request New Certificate." This brings up the Certificate Enrollment Wizard on the first page before you begin click "Next" and now we want to make sure it's the "Active Directory Enrollment Policy" we are using and that's the one where we clicked "Enroll" for this different certificates and click "Next" and now we see the certificates that are available to us.
So, the first one, the one that we want to get now is the "ConfigMgrWebServer" certificate, so we're going to select it and say "Enroll" and then "Finish" and go back and do it again for the DP, which is the Distribution Point. So, Certificates, right click "All Tasks," "Request New Certificate" and the "Certificate Enrollment" wizard, "Next" and in the "Certificate Enrollment Policy", "Next" and the "ConfigMgrDP" certificate, check it and say "Enroll," "Finish" and you see we have the two certificates, one for Server and the other for Client.
If we look at them in the certificate templates, what they're done from and that is correct. Now, a couple of other things, we need to export the certificate so the clients can use it and that would be the Client Authentication certificate. So, it's this one right here, the "ConfigMgrClientDP", so this is going to allow a client to connect to that distribution point in a secure way over the internet. So, we need to export the key at this point. So, we're going to right click that certificate, "All Tasks" and say "Export" and this brings up the "Certificate Export Wizard." So, on the front page, click "Next" and we're going to export the private key, so select that and click "Next" and we're going to do it as a PFX file and include all certificates in the certificate path.
That's a default, so say "Next" and on "Security" We're going to use a password. So, in this case, I'll just use capital Pa55w.rd, confirm that and then say "Next" and we need to save this to a particular location. So, we're going to save this to the root of the D Drive, so let's select the D drive and we then we're going to name this certificate, "DPCert" and note that it's being saved as a PFX file and say "Save" and then "Next" and then "Finish" and it now has exported that particular private key to a file that we can then put in the client and have them load.
Okay, that's all we need to do here at this time. So, we're going to go ahead and minimize, for the time being, this console, which we haven't saved. So, I'm going to minimize that and now we are going back to Server Manager and in Server Manager we want to go to the IIS, or Internet Information Services Manager, IS Manager. We'll go ahead and expand this and expand our page and within sites, we want to go to the default website and within the default website, we want to change the bindings so it can use the certificates.
So, by just selecting this, if you note in the actions pane on the "Edit Site," this "Bindings..." hyperlink. So, let's click that and notice we have https here, we need to edit that and right now, as you see, no certificates selected. So, we need to put in the web server certificate here. So, in this case we want to find the certificate, called "Northam-CFG2.DaveMCT.com", so that's the certificate we want. We can view it and then we view the details of it and we can see and what we're looking for is the subject and here it is, it's the one assigned to this computer and that is correct.
Notice the Enhance Key Usage is "Server Authentication..." and that is correct as well. So, now that we see and let me scroll up a little bit more to this, the "CRL Distribution Point" and we can see that we have the different locations including, we should see, the http://CRLDave.com CRL list and the actual CRL file named for the certificate authority. What we want to do here with the certificate is copy it to a file, so we can also share this with the clients that are making the connection, so when we click "Copy to File", we get the "Certificate Export Wizard", we're going to click "Next" and in this case we don't have to worry about the private key.
We want to make sure this is saved as a CER File, CER. So, we're going to click "Next and see its, "Saved as CER," which is DER encoded binary X.509 and click "Next" and then we're also going to save this to the root of the D drive but the name of this file, Northam-CFG2CER and click "Save" and then "Next" and "Finish and then finally, "OK" and now we can close all our open windows and this will complete this particular demonstration.
- Planning and deploying a standalone primary site
- Ensuring domain and site server prerequisites
- Planning and expanding a standalone primary site
- Planning and deploying a multiple-site hierarchy
- Planning resource discovery and client deployment
- Managing content and replicating data in Configuration Manager
- Configuring Internet and cloud-based client management
- Advanced monitoring
- Upgrading to Configuration Manager current branch