How to configure System Center Configuration Manager to Use HTTPS/PKI

If you want to configure your SCCM infrastructure to use HTTPS communication, you can leverage your current Windows Enterprise Certification Authority (CA) If you have one in your environment.

If you don’t have one, you can get it to install and configure with minimum effect. It’s just a Windows Server Role and can find a lot of step by step guides from the Internet. (I’m not going to demonstrate how to install and configure Windows Enterprise CA using Active Directory Certificate Services (ADCS) here). But I’m going to discuss the Certificate requirements for the SCCM to use HTTPS/PKI in this post. (You should have at least basic administration knowledge of managing and maintaining ADCS to understand this as I only discuss the SCCM portion of the requirements)

Considerations for Creating Certificate Templates

Configuring Order for HTTPS for SCCM

There are two Certificate Templates that will be used for this. One for Server oriented components and another one for Desktop oriented components (Workstations).

Two Certificate Templates will be used in CA for the above Certificates requirements. These are,
  • Web Server Certificate Template
  • Workstation Authentication Certificate Template

 

There are four certificates will be generated using the above two certificate templates. These are,
  • Web Server Certificate
  • Web Server Certificate with Private Key Exportable
  • Workstation Authentication
  • Workstation Authentication  with Private Key Exportable
Certificates and their usage in SCCM and deploy to.

Now I’m going to talk about, common settings for the above Server and Workstations Certificates.

How to go to Certificate Template Settings in Certification Authority?

Control Panel\System and Security\Administrative Tools\Certification Authority

How to go to Certificate Template Settings in Certification Authority.
Right-click on the Certificate Template and go to Properties.

Settings for Certificate Templates, For two Web Server Certificates, Common Settings for both Certificates.

In this Web Server Certificate properties under “Subject Name,” you need to select the above settings.
The same Certificate under the “Security” Tab add “Domain Computers” and allow the above permissions as shown in the picture.

Settings for Certificate Template, For Web Server Certificate with Private Key Exportable.

This is the only setting that needs to configure apart from the above common settings. This certificate will be used for Cloud Distribution Point (Cloud DP) as well as if you have more than one Distribution Point (DP). The same DP Certificate can be used for the rest of the DPs if the Private Key is configured as exportable.

These is the settings for Web Server with Private Key Exportable.

Settings for Certificate Templates, For two Workstation Authentication Certificates, Common Settings.

  • For this Certificate in Security Tab need to allow Read, Enroll and Auto enrol for Domain Computers group
  • For Workstations to be auto-enrol configure a GPO and assign it to the particular OU in AD

Computer Configuration – Windows Settings – Security Settings – Public Key Policies – Certificate Services Client – Auto-Enrollment

For Two Workstation Authentication Certificates, Common Settings.
Configure the above settings in Security Tab for Domain Computers group to work auto-enrollment.

Settings for Certificate Template, For Workstation Authentication Certificates with Private Key Exportable.

Settings for Certificate Templates, For Workstation Authentication Certificates with Private Key Exportable.
How to configure Auto-Enrollment for Clients (Workstations) Certificates using GPO?

You can configure Active Directory GPO to do the auto-enrollment for SCCM Clients. Make sure you follow the proper plan for this, Like mentioned in the below picture, you can create separate OU and attach the GPO to it.

Computer Configuration – Windows Settings – Security Settings – Public Key Policies – Certificate Services Client – Auto-Enrollment.
Extra considerations when configuring HTTPS for Servers and Clients (Workstations)

When you install a Web Server Certificate to a Member Server for some requirements, If this Certificate only configures for Server Authentication, you need to generate a Workstation Certificate for that server. If not you will receive a certificate error when installing SCCM Client.

As you can see this Certificate only supports Server Authentication. Therefore you need to install a Workstation Certificate as well for the same server.
As you can see this Certificate only supports Client Authentication.
Example of having two Certificates one for Server and one for Client Authentications.