Add SSL Certificates For SCCM

Arguably there are newer and more fancy ways to do this in recent iterations of SCCM. If you wish to set up a standard internet facing SCCM environment or just an SSL secured environment this is the old skool way.

CREATE SCCM CERTIFICATES

  1. Open CA | Right-Click Cert Templates > Manage
  2. Right-Click Web Server template > Duplicate template
  3. Open new duplicate template :
    a Request Handling tab: Check ‘Allow private key to be exported’
    b General tab : Change name to “ConfigMgr IIS Cert”, validity 5 years
    c Subject name : default (‘supply in the request’ should be checked)
    d Security tab : remove the ‘Enroll’ permission from Domain Admins and Enterprise Admins, add your SCCM_Site_Servers group and add Enroll and read permission to this group | Click OK
  4. Open CA | Right-Click Cert Templates > Manage
  5. Right-Click Workstation Authentication template > Duplicate template
  6. Open new duplicate template :
    a Compatibility tab: keep defaults (ensure Windows Server 2003)
    b General tab : Change name to “ConfigMgr DP Cert”, validity 5 years
    c Security tab : Add your SCCM_Site_Servers group and add Enroll and read permission to this group | Click OK. Remove ‘Enroll’ for Enterprise Admins. On Request Handling tab, select Allow private key to be exported
  7. Right-Click Workstation Authentication template > Duplicate template
  8. Open new duplicate template :
    a Compatibility tab: keep defaults (ensure Windows Server 2003)
    b General tab : Change name to “ConfigMgr Client Cert”, validity 5 years
    c Security tab : Click ‘Domain Computers’ group and add AutoEnroll and read permission to this group (don’t uncheck ‘enroll’) | Click OK
  9. Open CA | Right-Click Cert Templates > New > Certificate Template to issue
  10. Select the three new certs from the ‘Enable Certificate Templates’ box. | Click OK
  11. Open the GPMC, open default domain policy (or wherever you have your PKI policy)
    a Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities
    b Open up ‘Certificate Services Client – Auto-Enrollment’. Change ‘Configuration Model’ to ‘Enabled’
    c Check ‘Renew expired certs…’ and ‘Update certificates that use cert templates’

ADD CERTS TO SCCM

  1. On the DP open the certificate MMC > Computer > Personal > Certificates | Right-click folder > All Tasks > Request New Certificate
  2. Next > Next | On ‘Request Certificates’ page check ‘ConfigMgr DP Cert’ and click ENROLL > Finish
  3. While still in the certs MMC, Right-click the DP cert you have just imported > All Tasks > Export > Next. Select Yes, export private key
  4. Keep defaults on Personal Information Exchange – PKCS #12 (.PFX) and click next.
  5. Enter a password > Next > Save the file as C:\Temp\SCCM_DP_Cert. Click finish
  6. On the MP open the certificate MMC > Computer > Personal > Certificates | Right-click folder > All Tasks > Request New Certificate
  7. Next > Next | On ‘Request Certificates’ page check ‘ConfigMgr IIS Cert’ and click ‘moe information is needed…’ link
  8. Under Subject Name, select ‘Common Name’ and add the name of the server, eg SCCMMP01 > Add
    9.Under Alternative Name, select DNS and add the FQDN of the server > Add
  9. Under the GENERAL tab, add the name of the server as the friendly name
  10. Under the Cert Authority tab, select your CA if it’s not already selected. Select Enroll > Finish.
  11. On the MP (internet facing if there is one) open IIS > Default Web Site > Bindings… | Edit HTTPS
  12. Select the new SSL certificate. If you don’t see HTTPS, click add and create it.
  13. Repeat the above on any other MPs
  14. From the SCCM console go to Admin\Overview\Site Configuration\Sites | Properties > Client Computer Communication. Add the Root CA Certificate you created earlier.
  15. FINALLY!!!! Go to Admin\Overview\Distribution Points | Properties and add the certificate and password you created on the DP in point #5. Rinse and repeat for all your DPs.
    Just select YES if you get a message about it being a copy of one used on another DP.
  16. To add certs for the SUP/WSUS see https://www.petervanderwoude.nl/post/how-to-configure-a-software-update-point-to-use-ssl-for-communicating-with-wsus/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.