PKI Certificates for Configuration Manager 2012 R2 – Part 1 of 4 (Web Server Certificate)
This is the first post in a four part series. In this Post I will show the Step-by-Step process (found here) for configuring and requesting the certificates that will be used with the Configuration Manager 2012 R2 environment and the clients.
Part 1 – Webserver Certificate (You are here)
Part 2 – Windows Computers
Part 3– Distribution Points
Part 4 – Converting Roles
The Lab environment consists of two servers for this scenario.
Windows Server 2012 R2 Domain Controller
Windows Serve 2012 R2 with System Center 2012 R2 – Configuration Manager (Single Server Installation)
Creating the Web Server Certificate
This procedure creates a certificate template for Configuration Manager site systems and adds it to the certification authority.
1. First thing will be to create a security group that will contain the System Center 2012 Configuration site systems that will run IIS. In this example I will be using the name ConfigMgr IIS Servers.
Add the Configuration Manager IIS Servers as members of this group.
2. Open the Certification Authority Console on the Member that has it installed. Right-click Certificate Templates and click Manage to load the Certificate Templates console.
3. The Certificate Templates console window will open. In the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template.
4. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.
Note: Do not select Windows 2008 server, Enterprise Edition
5. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the web certificates that will be used on Configuration Manager site systems, such as ConfigMgr Web Server Certificate.
6. Click the Subject Name tab. Make sure that Supply in the request is selected.
7. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.
8. Click Add, enter ConfigMgr IIS Servers in the text box, and then click OK.
9. Select the Enroll permission for this group. Do not clear the Read permission. Click OK, and close the Certificate Templates Console.
10. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
11. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Web Server Certificate, and then click OK.
12. If you do not need to create and issue any more certificate, close Certification Authority.
Requesting the Web Server Certificate
Now that we have created the Web Server Certificate, we will need to request the certificate for the Member server that runs IIS. This procedure allows you to specify the intranet and Internet FQDN values that will be configured in the site system server properties, and then install the web server certificate on to the member server that runs IIS.
1. I recommend restarting the member server that runs IIS. This will ensure that the computer can access the certificate template that you just created by using the Read and Enroll permissions that you configured.
- Click Start, click Run, and type mmc.exe. Click File, and then click Add/Remove Snap-in.
- The Add or Remove Snap-ins window will open. Select Certificates from the list of Available snap-ins, and then click Add.
- The Certificate snap-in window will open. Select Computer account, and then click Next.
- The Select Computer dialog box window will open. Ensure Local computer: (the computer this console is running on) is selected. Click Finish.
- The Add or Remove Snap-ins dialog box will return. You will now see Certificates (Local Computer) in the Selected snap-ins column. Click OK.
- In the console, expand Certificates (Local Computer), and then click Personal. Right-click Certificates, click All Tasks, and then click Request New Certificate.
- On the Before You Begin page, click Next.
- If you see the Select Certificate Enrollment Policy page, click Next.
- On the Request Certificates page, identify the ConfigMgr Web Server Certificate from the list of displayed certificates, and then click More information is required to enroll for this certificate. Click here to configure settings.
- In the Certificate Properties dialog box, in the Subject tab, do not make any changes to the Subject name. This means that the Value box for the Subject name section remains blank. Instead, from the Alternative name section, click the Type drop-down list, and then select DNS.
- In the Value box, specify the FQDN values that you will specify in the Configuration Manager site system properties, and then click Add and then click OK to close the Certificate Properties dialog box.
- On the Request Certificates page, select ConfigMgr Web Server Certificate from the list of displayed certificates, and then click Enroll.
- On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish. Close Certificates (Local Computer).
Configure IIS to use the Web Server Certificate
This procedure binds the installed certificate to the IIS Default Web Site.
- On the member server that has IIS installed, click Start, click Programs, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
- Expand Sites, right-click Default Web Site, and then select Edit Bindings.
- Click the https entry, and then click Edit.
- In the Edit Site Binding dialog box, select the certificate that you requested by using the ConfigMgr Web Server Certificates template, and then click OK.
- Click OK in the Edit Site Binding dialog box, and then click Close. Close Internet Information Services (IIS) Manager.
The member server is now provisioned with a ConfigMgr Web Server certificate.