If you want to configure your SCCM infrastructure to use HTTPS communication, you can leverage your current Windows Enterprise Certification Authority (CA) If you have one in your environment.
If you don’t have one, you can get it to install and configure with minimum effect. It’s just a Windows Server Role and can find a lot of step by step guides from the Internet. (I’m not going to demonstrate how to install and configure Windows Enterprise CA using Active Directory Certificate Services (ADCS) here). But I’m going to discuss the Certificate requirements for the SCCM to use HTTPS/PKI in this post. (You should have at least basic administration knowledge of managing and maintaining ADCS to understand this as I only discuss the SCCM portion of the requirements)
Considerations for Creating Certificate Templates
Configuring Order for HTTPS for SCCM
There are two Certificate Templates that will be used for this. One for Server oriented components and another one for Desktop oriented components (Workstations).
Two Certificate Templates will be used in CA for the above Certificates requirements. These are,
- Web Server Certificate Template
- Workstation Authentication Certificate Template
There are four certificates will be generated using the above two certificate templates. These are,
- Web Server Certificate
- Web Server Certificate with Private Key Exportable
- Workstation Authentication
- Workstation Authentication with Private Key Exportable
Now I’m going to talk about, common settings for the above Server and Workstations Certificates.
How to go to Certificate Template Settings in Certification Authority?
Control Panel\System and Security\Administrative Tools\Certification Authority
Settings for Certificate Templates, For two Web Server Certificates, Common Settings for both Certificates.
Settings for Certificate Template, For Web Server Certificate with Private Key Exportable.
This is the only setting that needs to configure apart from the above common settings. This certificate will be used for Cloud Distribution Point (Cloud DP) as well as if you have more than one Distribution Point (DP). The same DP Certificate can be used for the rest of the DPs if the Private Key is configured as exportable.
Settings for Certificate Templates, For two Workstation Authentication Certificates, Common Settings.
- For this Certificate in Security Tab need to allow Read, Enroll and Auto enrol for Domain Computers group
- For Workstations to be auto-enrol configure a GPO and assign it to the particular OU in AD
Computer Configuration – Windows Settings – Security Settings – Public Key Policies – Certificate Services Client – Auto-Enrollment
Settings for Certificate Template, For Workstation Authentication Certificates with Private Key Exportable.
How to configure Auto-Enrollment for Clients (Workstations) Certificates using GPO?
You can configure Active Directory GPO to do the auto-enrollment for SCCM Clients. Make sure you follow the proper plan for this, Like mentioned in the below picture, you can create separate OU and attach the GPO to it.
Extra considerations when configuring HTTPS for Servers and Clients (Workstations)
When you install a Web Server Certificate to a Member Server for some requirements, If this Certificate only configures for Server Authentication, you need to generate a Workstation Certificate for that server. If not you will receive a certificate error when installing SCCM Client.