To create and issue the site server signing certificate template

1. On the domain controller running the Windows Server 2003 console, click Start,
Programs, Administrative Tools, Certification Authority.

2. Expand the name of your certification authority (CA), and then click Certificate Templates.

3. Right-click Certificate Templates, and click Manage to load the Certificates Templates management console.

4. In the results pane, right-click the entry that displays Computer in the Template Display Name column, and then click Duplicate Template.

5. In the Properties of New Template dialog box, on the General tab, enter a template
name for the site server signing certificate template, such as ConfigMgr Site Server
Signing Certificate.

6. Click the Subject Name tab, and then click Supply in the request.

7. Click the Extensions tab, make sure Application Policies is selected, and then click
Edit.

8. In the Edit Application Policies Extension dialog box, select Client Authentication,
press Shift and select Server Authentication, and then click Remove.

9. In the Edit Application Policies Extension dialog box, click Add.

10. In the Add Application Policy dialog box, select Document Signing as the only
application policy, and then click OK.

11. In the Properties of New Template dialog box, you should now see listed as the
description of Application Policies: Document Signing.

12. Click the Issuance Requirement tab, and select CA certificate manager approval.

13. Click OK and close the Certificate Templates administrator console, certtmpl –
[Certificate Templates].

14. In Certification Authority, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

15. In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr Site Server Signing Certificate, and then click OK.
Note If you cannot complete steps 14 or 15, check that you are using the Enterprise Edition of Windows Server 2003. Although you can configure templates with Windows
Server Standard Edition and Certificate Services, you cannot deploy certificates using
modified certificate templates unless you are using the Enterprise Edition of
Windows Server 2003.

16. Do not close Certification Authority. Requesting the Site Server Signing Certificate for the Server That Will Run the Configuration Manager 2007 Site Server
To request the site server signing certificate

1. On the member server, load Internet Explorer and connect to the Web enrollment service with the address http:///certsrv where is the name or IP address of
the Enterprise CA.

2. On the Welcome page, select Request a certificate.

3. On the Request a Certificate page, select Advanced certificate request.

4. On the Advanced Certificate Request page, select Create and submit a request to this CA.

5. On the Advanced Certificate Request page, specify the following:
o Under the Certificate Template section, select ConfigMgr Site Server Signing

Certificate for the Certificate Template.
Note If you cannot see this certificate template displayed, check that you restarted the
member server (if it was running) after you configured the security group in the
earlier procedure.

o Under the section Identifying Information for Offline Template, in the Name
text box enter the following: The site code of this site server is , where
is the site code of the site. This exact text string in English must be used,
in the same case, without a trailing comma or period, and the site code must be
specified at the end of the string in the same case as it appears in the
Configuration Manager console. It is very important that this exact wording is
used, because this forms the certificate Subject name, which is used to identify the
site server signing certificate.
o Under the section Key Options, enable Store certificate in the local computer
certificate store.

Note
If you do not see this option displayed, it is likely that you have installed the
hotfix for KB 922706 to support Web enrollment for Windows Vista and
Windows Server 2008. This hotfix removes the option to store an advanced
certificate request in the computer store, so if this option is not available on your
Web enrollment pages, you must use an alternative certificate deployment method
for the site server signing certificate. For example, you can install the certificate
into the user store and then export it and import it into the computer store, or you
can use the command-line utility Certreq.exe to request the certificate. The
Certreq.exe method is used in the following topic: Step-by-Step Example

Deployment of the PKI Certificates Required for Configuration Manager Native
Mode: Windows Server 2008 Certification Authority.
o Under the section Additional Options, enter your choice for Friendly Name,
such as ConfigMgr site server certificate.

6. Click Submit.

7. On the Certificate Pending page, you will see that your certificate request has been
received but requires an administrator to issue the certificate. Make a note of the
displayed Request ID.

8. Do not exit Internet Explorer.
Approving the Site Server Signing Certificate on the Certification Authority
To approve the site server signing certificate
1. On the domain controller, in Certification Authority, click Pending Requests.

2. In the results pane, you will see the requested certificate with the Request ID that was displayed on the Web enrollment page.

3. Right-click the requested certificate, click All Tasks, and then click Issue. Do not close Certification Authority.

Installing the Site Server Signing Certificate on the Server That Will Run the
Configuration Manager 2007 Site Server

To install the site server signing certificate
1. On the member server, on the Microsoft Certificate Services Web page, click Home on the top right side to return to the Welcome page.

2. On the Welcome page, click View the status of a pending certificate request.

3. On the View the Status of a Pending Certificate Request page, click the hyperlink that displays the friendly name you supplied for the site server signing certificate, and the date and time in parentheses it was requested.

4. On the Certificate Issued Web page, click Install this certificate.

5. If you are prompted with a Potential Scripting Violation warning message, click Yes.

6. The final page should display that your new certificate has been successfully installed.

7. Close Internet Explorer.

The member server is now provisioned with a Configuration Manager 2007 site server signing certificate.

Deploying the Web Server Certificate
This step has four procedures:
• Creating a Windows Security Group for the Site System Servers
• Creating and Issuing the Web Server Certificate Template on the Certification Authority
• Requesting the Web Server Certificate
• Configuring IIS to Use the Web Server Certificate

Creating a Windows Security Group for the Site System Servers (Management
Point, Distribution Point, Software Update Point, State Migration Point)
To create a Windows security group for the site system server
1. On the domain controller, click Start, Programs, Administrative Tools, Active
Directory Users and Computers.

2. Right-click the domain, click New, and then click Group.

3. In the New Object – Group dialog box, enter ConfigMgr IIS Servers as the Group
name and then click OK.

4. In Directory Users and Computers, right-click the group you have just created and then click Properties.

5. Click the Members tab, and then click Add to select the member server.

Note
In our test environment, there is only one server to add. However, in a production
environment, it is likely that various servers will host the Configuration Manager 2007
site systems that require certificates, such as the site’s management point and distribution points. It is therefore good practice to assign permissions to a group and add the site systems that require the same type of certificate. Creating a security group for these servers enables you to assign permissions so that only these servers can use these certificates.

6. Click OK, and then click OK again to close the group properties dialog box.

7. Restart your member server (if running) so that it can pick up the new group membership.

Creating and Issuing the Web Server Certificate Template on the Certification
Authority
To create and issue the Web server certificate template on the certification authority
1. On the domain controller, while still running the Certification Authority management
console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.

2. In the results pane, right-click the entry that displays Web Server in the column
Template Display Name, and then click Duplicate Template.

3. In the Properties of New Template dialog box, on the General tab, enter a template
name to generate the Web certificates that will be used on Configuration Manager site
systems, such as ConfigMgr Web Server Certificate.

4. Click the Subject Name tab, select Build from this Active Directory information, and
then select one of the following for the Subject name format:
o Common name: Select this option if you will use fully qualified domain names
for site systems in Configuration Manager (required for Internet-based client
management, and recommended for clients on the intranet).
o Fully distinguished name: Select this option if you will not use fully qualified
domain names in Configuration Manager.

5. Click the Security tab, and remove the Enroll permission from the security groups
Domain Admins and Enterprise Admins.

6. Click Add, enter ConfigMgr IIS Servers in the text box, and then click OK.

7. Select the following Allow permissions for this group: Read, Enroll, and Autoenroll.

8. Click OK and close the Certificate Templates management console, certtmpl –
[Certificate Templates].

9. In the Certification Authority management console, right-click Certificate Templates,
click New, and then click Certificate Template to Issue.

10. In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr Web Server Certificate, and then click OK.

11. Close Certification Authority.

Requesting the Web Server Certificate
To request the Web server certificate
1. Restart the member server to ensure it can access the certificate template with the
configured permission.

2. Click Start, click Run, and type mmc.exe. In the empty console, click File and then
click Add/Remove Snap-in.

3. In the Add/Remove Snap-in dialog box, click Add, click Certificates, and then click
Add.

4. In the Certificate snap-in dialog box, select Computer account and then click Next.

5. In the Select Computer dialog box, ensure Local computer: (the computer this
console is running on) is selected, and then click Finish.

6. In the Add Standalone Snap-in dialog box, click Close.

7. In the Add/Remove Snap-in dialog box, click OK.

8. In the console that now displays Certificates (Local Computer), expand Certificates
(Local Computer), and then expand Personal.

9. Right-click Certificates, click All Tasks, and then click Request New Certificate.

10. On the Welcome to the Certificate Request Wizard page, click Next.

11. On the Certificate Types page, select ConfigMgr Web Server Certificate from the list of displayed certificates, and then click Next.

12. On the Certificate Friendly Name and Description page, optionally enter a friendly
name and description to help you identify this certificate, and then click Next.

13. On the Completing the Certificate Request Wizard page, click Finish.

14. You should see the Certificate Request Wizard dialog box informing you that the
certificate request was successful.

15. Close Certificates (Local Computer).

Configuring IIS to Use the Web Server Certificate
To configure IIS to use the Web server certificate
1. On the member server, click Start, click Programs, click Administrative Tools, and
then click Internet Information Services (IIS) Manager.

2. Expand Web Sites, right-click Default Web Site, and then select Properties.

3. Click the Directory Security tab, and then click Server Certificate.

4. On the Welcome to the Web Server Certificate Wizard page, click Next.

5. On the Server Certificate page, click Assign an existing certificate and then click Next.

6. On the Available Certificates page, select the Web server certificate you have just
requested, identifying it by the Intended Purpose field that has a value of Server
Authentication and the Friendly Name you supplied, and then click Next.

7. On the SSL Port page, accept the default port number of 443 and then click Next.

8. On the Certificate Summary page, click Next.

9. On the Completing the Web Server Certificate Wizard page, click Finish.

10. Click OK to close the Default Web Site Properties.

11. Close Internet Information Services (IIS) Manager.

The member server is now provisioned with a Configuration Manager 2007 Web server
certificate.
Note
If this server will be configured for software updates, there is additional IIS configuration that must be performed after WSUS is installed. For more information, see How to Configure the WSUS Web Site to Use SSL.

Deploying the Client Certificate
This step has two procedures:
• Configuring Autoenrollment of the Computer Template Using Group Policy
• Automatically Enrolling the Computer Certificate and Verifying Its Installation on
Computers Configuring Autoenrollment of the Computer Template Using Group PolicyTo configure autoenrollment of the computer template using Group Policy
1. On the domain controller, click Start, click Administrative Tools, and then click Group Policy Management.

2. Right-click the domain, and then select Create and Link a GPO Here.

Note
This step uses the best practice of creating a new Group Policy for custom settings rather than editing the Default Domain Policy that is installed with Active Directory Domain Services. By assigning this Group Policy at the domain level, you will apply it to all computers in the domain. However, on a production environment you can restrict the autoenrollment so that it enrolls on only selected computers by either assigning the Group Policy at an organizational unit (OU) level, or you can filter the domain Group Policy with a security group so that it applies only to the computers in the group. If you restrict autoenrollment, remember to include the server that is configured as the managementpoint.

3. In the New GPO dialog box, enter a name for the new Group Policy, such as Autoenroll Certificates, and then click OK.

4. In the results pane, on the Linked Group Policy Objects tab, right-click the new Group Policy, and then click Edit.

5. In the Group Policy Object Editor, navigate to Computer Configuration / Windows
Settings / Security Settings / Public Key Policies.

6. Right-click Automatic Certificate Request Settings, click New, and then click
Automatic Certificate Request.

7. In the Welcome to the Automatic Certificate Request Setup Wizard, click Next.

8. On the Certificate Template page, select Computer from the list of available certificate templates, and then click Next.

9. On the Completing the Automatic Certificate Request Setup Wizard page, click
Finish.

10. Close Group Policy Management.

Automatically Enrolling the Computer Certificate and Verifying Its Installation
on Computers
To automatically enroll the computer certificate and verify its installation on the client
computer
1. Restart the workstation computer, and wait a few minutes before logging on.

Note
Restarting a computer is the most reliable method of ensuring success with certificate
autoenrollment.

2. Log on with an account that has administrative privileges.

3. Click Start, click Run, and then type mmc.exe.

4. In the empty management console, click File, and then click Add/Remove Snap-in.

5. In the Add/Remove Snap-in dialog box, click Add, click Certificates, and then click
Add.

6. In the Certificate snap-in dialog box, select Computer account and then click Next.

7. In the Select Computer dialog box, ensure Local computer: (the computer this
console is running on) is selected and then click Finish.

8. In the Add Standalone Snap-in dialog box, click Close.

9. In the Add/Remove Snap-in dialog box, click OK.

10. In the console that now displays Certificates (Local Computer), expand Certificates
(Local Computer) and then click Personal.

11. In the results pane, confirm a certificate is displayed that has Client Authentication
displayed in the Intended Purpose field and Computer displayed in the Certificate

Template field.

12. Close Certificates (Local Computer).

13. Repeat steps 1 through 12 for the member server to verify that the server that will be configured as the management point also has a client certificate.
The workstation and member server are now provisioned with a Configuration Manager 2007 client certificate.