Add SSL Certificates For SCCM

Arguably there are newer and more fancy ways to do this in recent iterations of SCCM. If you wish to set up a standard internet facing SCCM environment or just an SSL secured environment this is the old skool way.

CREATE SCCM CERTIFICATES

  1. Open CA | Right-Click Cert Templates > Manage
  2. Right-Click Web Server template > Duplicate template
  3. Open new duplicate template :
    a Request Handling tab: Check ‘Allow private key to be exported’
    b General tab : Change name to “ConfigMgr IIS Cert”, validity 5 years
    c Subject name : default (‘supply in the request’ should be checked)
    d Security tab : remove the ‘Enroll’ permission from Domain Admins and Enterprise Admins, add your SCCM_Site_Servers group and add Enroll and read permission to this group | Click OK
  4. Open CA | Right-Click Cert Templates > Manage
  5. Right-Click Workstation Authentication template > Duplicate template
  6. Open new duplicate template :
    a Compatibility tab: keep defaults (ensure Windows Server 2003)
    b General tab : Change name to “ConfigMgr DP Cert”, validity 5 years
    c Security tab : Add your SCCM_Site_Servers group and add Enroll and read permission to this group | Click OK. Remove ‘Enroll’ for Enterprise Admins. On Request Handling tab, select Allow private key to be exported
  7. Right-Click Workstation Authentication template > Duplicate template
  8. Open new duplicate template :
    a Compatibility tab: keep defaults (ensure Windows Server 2003)
    b General tab : Change name to “ConfigMgr Client Cert”, validity 5 years
    c Security tab : Click ‘Domain Computers’ group and add AutoEnroll and read permission to this group (don’t uncheck ‘enroll’) | Click OK
  9. Open CA | Right-Click Cert Templates > New > Certificate Template to issue
  10. Select the three new certs from the ‘Enable Certificate Templates’ box. | Click OK
  11. Open the GPMC, open default domain policy (or wherever you have your PKI policy)
    a Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities
    b Open up ‘Certificate Services Client – Auto-Enrollment’. Change ‘Configuration Model’ to ‘Enabled’
    c Check ‘Renew expired certs…’ and ‘Update certificates that use cert templates’

ADD CERTS TO SCCM

  1. On the DP open the certificate MMC > Computer > Personal > Certificates | Right-click folder > All Tasks > Request New Certificate
  2. Next > Next | On ‘Request Certificates’ page check ‘ConfigMgr DP Cert’ and click ENROLL > Finish
  3. While still in the certs MMC, Right-click the DP cert you have just imported > All Tasks > Export > Next. Select Yes, export private key
  4. Keep defaults on Personal Information Exchange – PKCS #12 (.PFX) and click next.
  5. Enter a password > Next > Save the file as C:\Temp\SCCM_DP_Cert. Click finish
  6. On the MP open the certificate MMC > Computer > Personal > Certificates | Right-click folder > All Tasks > Request New Certificate
  7. Next > Next | On ‘Request Certificates’ page check ‘ConfigMgr IIS Cert’ and click ‘moe information is needed…’ link
  8. Under Subject Name, select ‘Common Name’ and add the name of the server, eg SCCMMP01 > Add
    9.Under Alternative Name, select DNS and add the FQDN of the server > Add
  9. Under the GENERAL tab, add the name of the server as the friendly name
  10. Under the Cert Authority tab, select your CA if it’s not already selected. Select Enroll > Finish.
  11. On the MP (internet facing if there is one) open IIS > Default Web Site > Bindings… | Edit HTTPS
  12. Select the new SSL certificate. If you don’t see HTTPS, click add and create it.
  13. Repeat the above on any other MPs
  14. From the SCCM console go to Admin\Overview\Site Configuration\Sites | Properties > Client Computer Communication. Add the Root CA Certificate you created earlier.
  15. FINALLY!!!! Go to Admin\Overview\Distribution Points | Properties and add the certificate and password you created on the DP in point #5. Rinse and repeat for all your DPs.
    Just select YES if you get a message about it being a copy of one used on another DP.
  16. To add certs for the SUP/WSUS see https://www.petervanderwoude.nl/post/how-to-configure-a-software-update-point-to-use-ssl-for-communicating-with-wsus/

Build a Certificate Authority, Step By Step

I have just had to do this so I thought I’d make the most of the ordeal by documenting. I make no apologies here – I am giving you the bare minimum click-by-click. I’m not attempting to tell you what you’re doing along the way as this post will just be too long. As long as you do everything as indicated and don’t take any shortcuts, you should be fine. If you previously had a CA in place, I recommend you fully uninstall them before starting.

You will need two VMs, one domain joined (IssuingCA) and the other just in a workgroup (RootCA). In my example below, my rootCA is SVR-CA-01.bondynet.org and my Issuing CA is SVR-CA-02.bondynet.org. These names make up some of the cert names in the instructions below so please ensure you substitute as appropriate for your environment. One final caveat : this was put together on Windows 2012 R2 so there maybe one or two minor changes to the interface in places but honestly not much has changed in years…

ROOTCA

  1. Workgroup computer, Install cert services
  2. Go thru config wizard, Select:
    a Cert Authority
    b Standalone CA
    c Root CA
    d New private key
    e All default crypto options
    f Default names
    g Default Validity (5 years)
    h Default db locations
    i Click CONFIGURE
  3. Open Cert Authority > Properties > Extensions > CRL Distribution Point (CDP)
    a Click Add.. and under location type : http://svr-ca-02.bondynet.org/CertData/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl (replace with your issuing CA)
    b Check Include in CRLs…
    c Check Include in CDP extension…
    d Select AIA from cbobox > Add AIA
    e http://svr-ca-02.bondynet.org/CertData/<ServerDNSName>_<CaName><CertificateName>.crt (note the crt extension and the underscores for AIA).
    f Check ‘Include in the AIA extension…’
    g Restart services when prompted.
  4. Publish CRL by going to Revoked certificates node | right click > all tasks > Publish
  5. crl and crt published at C:\Windows\system32\CertSrv\CertEnroll. Copy this path to clipboard.
  6. ROOTCA properties > General > View Certificate #0 > Details > Copy to file > Next DER Encoded > Next > save as C:\Windows\system32\CertSrv\CertEnroll\RootCACert.cer
  7. Browse to \IssuingCA\C$\Temp\Certs and drop the three certs in the folder

PUBLISH ROOT CA IN AD

  1. Open the GPMC, open default domain policy (or some other if preferred)
    a Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities
    b Right-click > Import > Next > browse to \IssuingCA\C$\Temp\Certs\RootCACert.cer > Next > Finish
  2. Run GPUpdate /force and you should see your new certificate appear under ‘Trusted Root Cert Authorities’ in Certificate manager MMC.

ISSUING CA

  1. Install Certificate Authority with all Role Services
  2. Once complete, in SVRMGR click the yellow triangle for post config.
  3. Specify creds or leave default | Next
  4. Select Cert Auth, Cert Auth Web Enrollment | Next
  5. Select Enterprise | Next
  6. Subordinate CA | Next
  7. Create a new private key | Next
  8. All default crypto options | Next
  9. All default names | Next
  10. Default req filename and location (C:\SVR-CA-02.BONDYNET.org_BONDYNET-SVR-CA-02-CA-2.req) | Next
  11. Default db location | Next | Configure | OK. Don’t configure additional roles when prompted for our purposes here.

REQUEST CERT FROM PARENT CA

  1. On the root CA, browse to \\IssuingCA\C$ and copy c:\SVR-CA-02.BONDYNET.org_BONDYNET-SVR-CA-02-CA-2.req locally.
  2. In CA MMC console > | Right click > All Tasks > Submit New Request > Select SVR-CA-02.BONDYNET.org_BONDYNET-SVR-CA-02-CA-2.req > OK
  3. Go to Pending Node to see the new certificate. Right-click > All Tasks > Issue
  4. Under ‘Issued Certificates’ node, right-click > Open > Details tab > Copy to file > Next
  5. Select Cryptographic Message Syntax Std (.P7b) and select ‘Include all certs in path’. | Next
  6. Open Browse and you should be in the CertEnroll directory. Call the cert ‘IssuingCACert’ | Next | Finish | OK | OK
  7. Copy the new .p7b certificate to the \IssuingCA\C$\Temp\Certs\ location.

INSTALL & CONFIGURE CERT ON ISSUING CA

  1. Create a new folder at C:\inetpub\wwwroot\CertData
  2. Copy the .crt file and the .crl file from C:\Temp\Certs to C:\inetpub\wwwroot\CertData
  3. Open the CA console on the Issuing CA. Right-click servername > All Tasks > Install CA Certificate. Select The new p7b certificate.
  4. Start the CA service from the MMC console. You will probably get a message about an untrusted root certificate. Just click OK. If you get an error (CRYPT_E_REVOCATION_OFFLINE) see https://stealthpuppy.com/resolving-issues-starting-ca-offline-crl/
  5. Switch off the root CA!

INSTALL THE REST OF THE ROLES

  1. Create two service accounts, domain users only, CESvcCert and NDESvcCert and add these to the local IIS_IUSRS group
  2. Click the yellow triangle in svrmgr and check all the unchecked roles | Next
  3. Under Service account for NDES, enter the NDES svc Account | Next
  4. Use defaults for RA Information | Next
  5. Use defaults for Crypto | Next
  6. Under CA for CES, keep defaults | Next
  7. For Auth type, select User name and password | Next
  8. Under Service Account for CES, enter the CESvcCert Account | Next
  9. For Auth type, select User name and password | Next
  10. For Key-bases renewal for CEP check Enable key-based renewal | Next | Configure

You’re all done for the CA. Now for the certs…see next post!