MSEndpointMgr

ConfigMgr PKI – Part 2 (Create Certificates)

In order to walk you through the entire process of setting up ConfigMgr PKI, I am going to break this down into a number of parts;

In part 2, we will prepare and create all the required certificates, the steps are long and boring but very important!

Table of content for easy navigation

Create certificate templates

Create ConfigMgr Web server certificate template for server authentication (IIS)

This is for setup process for the Management Point and Software Update point certificates.

  1. On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates and click Manage to load the Certificate Templates console.
  2. Right-click Web Server, then click Duplicate Template

  3. Make sure use Windows Server 2003, not Server 2008 (if you have Certificate Services installed in Server 2008)

  4. Click on General tab, input Template display name ConfigMgr Web Server Certificate.
  5. Change Validity period as your wish

  6. Click on tab Security, click Add.
  7. Add your ConfigMgr servers or ConfigMgr server AD group (if you created one), give permissions Allow Read, Enroll.
    In my case, I added CM01 and CM02

  8. Click OK close the dialog.
Create Cloud services (for Cloud Management gateway and Cloud Distribution point) certificate template
  1. Create a Duplicate Template of the ConfigMgr Web Server Certificate we just created. (Remember choose Windows server 2003)

  2. In General tab, change the template display name to ConfigMgr Cloud Services Certificate

    You don’t need to create separate cert template for cloud management gateway and cloud distribution point.

  3. Change Validity period as your wish

  4. In Request Handling, choose Allow private key to be exported

  5. Click OK close the dialog.
Create client authentication certificate template
  1. Right-click on Workstation Authentication and click Duplicate Template.
  2. In General tab, change display name to ConfigMgr Client Certificate
  3. Change Validity period as your wish

  4. Click on tab Security, click Add.
  5. Add Domain Computers, give permissions Allow Read, Enroll, Autoenroll

  6. Click OK to close the dialog.
Create Distribution point certificate template
  1. Right-click on Workstation Authentication and click duplicate template.
  2. In General tab, change display name to ConfigMgr Distribution Point certificate
  3. Change Validity period as your wish

  4. In Request Handling, choose Allow private key to be exported
  5. Click on tab Security, click Add.
  6. Add your distribution point server, give permissions Allow Read, Enroll
  7. Click OK to close the dialog.

Now we should see four ConfigMgr certificate templates created. Close certificate template console.

Enable Certificates to be issued

  1. Right-click on Certificate Templates, then New Certificate Template to Issue

  2. Choose the four certificate templates we just created
  3. You should able to see something like this

  4. Close Certification Authority

Request certificates

Request certificate for Cloud management gateway (Optional)
  1. You need to have a unique DNS name in your Azure subscription for cloud services, so go to your Azure portal https://portal.azure.com
    Click New and type Cloud Service. Click on Cloud Service and click Create

  2. In DNS name input the name that you wish to use, and check it’s availability. In my case, I will use smsbootCMG.cloudapp.net as my Cloud management gateway address.
    IMPORTANT: Do not create the cloud service, this is step is only for check DNS name availability.

  3. Open MMC as administrator
  4. Clock on FileAdd/Remove snap-in…
  5. In Available snap-ins list, choose certificates
  6. In Certificates snap-in, choose Computer account

  7. Click NextFinishOK
  8. Open Certificates (Local Computer) – Personal – Certificates
  9. Right-click on Certificates, choose All Tasks- Request New Certificate…

  10. Click Next, Next. You should able to see available templates for enroll

  11. Check the checkbox on ConfigMgr Cloud Services Certificate
  12. Click on “More information is required to enroll for this certificate. Click here to configure settings.”
  13. In the Subject tab under Subject Name Type drop-down choose Common Name
  14. Input Value: smsbootCMG.cloudapp.net (See step 2), Click Add >
    NOTE: You can also use your public domain name instead of cloudapp.net, just need to remember add a CNAME in your public DNS

  15. On the General tab, input Friendly name and Description as ConfigMgr CMG

    Tip: I always put some text on Friendly name and Description, it is easier to find those certificates for later use. This is especially true when you have many ConfigMgr roles on same server.

  16. Click on OK, then Enroll..Finish.

  17. Now you have requested your cloud management gateway certificate
Request Web certificate (IIS) for MP, SUP, DP

We need to request a web certificate for the Management Point, Software Update point and Distribution point. Then we will need to assign these certificates in IIS.

  1. Logon servers that hosts MP, SUP and DP roles
  2. Use ConfigMgr Web Server certificate template to request certificate
  3. Don’t change anything on Subject name Type
  4. In Alternative name type, choose DNS
  5. Input Value, put both FQDN and NETBIOS name of your MP, or SUP or DP

  6. In General tab, input Friendly name and Description: ConfigMgr CM01 Web Server
Request certificate for Distribution point
  1. Use ConfigMgr Distribution Point certificate template to request certificate
  2. Click on Enroll

Export certificates

You will need to export all of the certificates you have just created.

Export Cloud management gateway certificates
  1. Right-Click on ConfigMgr CMG certificate, choose All TasksExport, go thought the wizard

  2. Choose No, do not export the private key, save it as CMG.cer to D:\ConfigMgr folder.

  3. Export ConfigMgr CMG certificate again, this time choose Yes, export private key

  • Add password to protect you private certificate

  • Next, Save it as CMG.pfx to D:\ConfigMgr folder.
Export Distribution point certificates

Note: This has nothing to do with Co-management. Since most of ConfigMgr roles are using SSL however, I wanted to use SSL on the distribution point too.

  1. Right-Click on ConfigMgr Distribution point certificate. Repeat the same steps as the export ConfigMgr CMG certificate, export only the private key
  2. Save it as CM01DP.pfx to D:\ConfigMgr folder.
Export Root certificates
  1. Open any of those certificates, example ConfigMgr CM01 Web Server

  2. Choose Certification Path tab, Click on View Certificate

  3. Click on Details, then click on Copy to File…

  4. Save it as RootCA.cer to D:\ConfigMgr folder.
  5. If you have subordinate CA, you need to export that as well.

Configuring Auto enrollment of the Workstation Authentication Template by Using Group Policy

  1. Create a new GPO name Autoenroll Certificate

  2. Go to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies
  3. Open Certificate Services ClientAuto-Enrollment, Choose configuration Model: Enabled
  4. Right-Click on Trusted Root Certification Authorities, choose Import…

  • Import the RootCA.cer we just created, using the default settings

  • Link this GPO to your domain, so that domain joined computer will automatic get ConfigMgr Client certificate
  • Logon to a domain joined machine, run gpupdate /force (So that it apply the auto-enroll certificate policy that we just created, or you can restart the computer)
  • After auto-enroll certificate GPO is applied, you should see it like this, Certificate Template column shows ConfigMgr Client Certificate

When you are finished all these steps, you should have 8 certificates in total in D:\ConfigMgr folder.

Next coming up How to setup ConfigMgr PKI – Part 3 (Cloud Management Gateway)

Sandy Zeng

Sandy is an Enterprise Mobility MVP since 2018. She is an experienced Information Technology Specialist for over 10 years. Skilled in Microsoft Endpoint Manager (ConfigMgr and Intune), Windows 10 and security. Sandy's interests are mostly related to Microsoft Technologies, she has passions learning new skill sets to improve her professional career and also as her hobbies. She uses her expertise to help customers achieve their goals and solve their issues.

Sandy founded the https://sandyzeng.com blog and is now a blogger on MSEndPointMgr.

11 comments

    • I didn’t find any cost details on this. Seems remember one subscription can upload 150 AzureManagement cert, but not 100% sure.

  • Hi ,

    Could you please tell , if i don’t use “https” MP,SUP,DP on primary site then which certificates and enrollment are NOT required.

    • If you don’t https, which means you are using ConfigMgr CB1806 enhanced http, is that right? In this case, you don’t need web service certificate and distribution point certificate. However, in my steps create cloud services template are duplicate of web service certificate template, so you will need create the correct templates.

      • I’m using 1802. Testing in lab.
        Have setup like: Primary site with MP,DP(http).

        And want to make another site which is https enabled for internet clients having CMG,MP,SUP, DP.

        PLEASE suggest as per this setup.

  • Hello Sandy, first of all, great blog!
    Secondly, I have a question:
    is it necessary for the azure management certificate to have the suffix “cloudapp.net” in the DNS name?

    • Hi Peter,
      Based on my test for CMG and Cloud DP, it was not necessary use suffix “cloudapp.net” for Azure management certificate.
      But since it was mentioned in Microsoft Docs, so perhaps there are some reasons for that. Honestly I don’t know. 🙂
      — Sandy

  • Hi,

    Thanks for the informative blog. With the certificate creations, which server do we use? Does it matter? For example, the Azure certificates, do we generate that from the web server or any server is fine.

    I am looking at setting this up for a corporate customer. They have a strict security policy and not liking the idea of auto provisioning the Azure VM instance when creating the CMG. They want to set one up prior with the proper subnet etc, and security settings. My question is, after the creation of CMG on the console, can we point it to the Azure VM we want?

    Thanks.

Sponsors

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.