Arguably there are newer and more fancy ways to do this in recent iterations of SCCM. If you wish to set up a standard internet facing SCCM environment or just an SSL secured environment this is the old skool way.
CREATE SCCM CERTIFICATES
- Open CA | Right-Click Cert Templates > Manage
- Right-Click Web Server template > Duplicate template
- Open new duplicate template :
a Request Handling tab: Check ‘Allow private key to be exported’
b General tab : Change name to “ConfigMgr IIS Cert”, validity 5 years
c Subject name : default (‘supply in the request’ should be checked)
d Security tab : remove the ‘Enroll’ permission from Domain Admins and Enterprise Admins, add your SCCM_Site_Servers group and add Enroll and read permission to this group | Click OK - Open CA | Right-Click Cert Templates > Manage
- Right-Click Workstation Authentication template > Duplicate template
- Open new duplicate template :
a Compatibility tab: keep defaults (ensure Windows Server 2003)
b General tab : Change name to “ConfigMgr DP Cert”, validity 5 years
c Security tab : Add your SCCM_Site_Servers group and add Enroll and read permission to this group | Click OK. Remove ‘Enroll’ for Enterprise Admins. On Request Handling tab, select Allow private key to be exported - Right-Click Workstation Authentication template > Duplicate template
- Open new duplicate template :
a Compatibility tab: keep defaults (ensure Windows Server 2003)
b General tab : Change name to “ConfigMgr Client Cert”, validity 5 years
c Security tab : Click ‘Domain Computers’ group and add AutoEnroll and read permission to this group (don’t uncheck ‘enroll’) | Click OK - Open CA | Right-Click Cert Templates > New > Certificate Template to issue
- Select the three new certs from the ‘Enable Certificate Templates’ box. | Click OK
- Open the GPMC, open default domain policy (or wherever you have your PKI policy)
a Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities
b Open up ‘Certificate Services Client – Auto-Enrollment’. Change ‘Configuration Model’ to ‘Enabled’
c Check ‘Renew expired certs…’ and ‘Update certificates that use cert templates’
ADD CERTS TO SCCM
- On the DP open the certificate MMC > Computer > Personal > Certificates | Right-click folder > All Tasks > Request New Certificate
- Next > Next | On ‘Request Certificates’ page check ‘ConfigMgr DP Cert’ and click ENROLL > Finish
- While still in the certs MMC, Right-click the DP cert you have just imported > All Tasks > Export > Next. Select Yes, export private key
- Keep defaults on Personal Information Exchange – PKCS #12 (.PFX) and click next.
- Enter a password > Next > Save the file as C:\Temp\SCCM_DP_Cert. Click finish
- On the MP open the certificate MMC > Computer > Personal > Certificates | Right-click folder > All Tasks > Request New Certificate
- Next > Next | On ‘Request Certificates’ page check ‘ConfigMgr IIS Cert’ and click ‘moe information is needed…’ link
- Under Subject Name, select ‘Common Name’ and add the name of the server, eg SCCMMP01 > Add
9.Under Alternative Name, select DNS and add the FQDN of the server > Add - Under the GENERAL tab, add the name of the server as the friendly name
- Under the Cert Authority tab, select your CA if it’s not already selected. Select Enroll > Finish.
- On the MP (internet facing if there is one) open IIS > Default Web Site > Bindings… | Edit HTTPS
- Select the new SSL certificate. If you don’t see HTTPS, click add and create it.
- Repeat the above on any other MPs
- From the SCCM console go to Admin\Overview\Site Configuration\Sites | Properties > Client Computer Communication. Add the Root CA Certificate you created earlier.
- FINALLY!!!! Go to Admin\Overview\Distribution Points | Properties and add the certificate and password you created on the DP in point #5. Rinse and repeat for all your DPs.
Just select YES if you get a message about it being a copy of one used on another DP. - To add certs for the SUP/WSUS see https://www.petervanderwoude.nl/post/how-to-configure-a-software-update-point-to-use-ssl-for-communicating-with-wsus/