PKI Certificates for Configuration Manager 2012 R2 – Part 2/4 (Client Certificate for Windows Computers)
Welcome to part 2 of 4 in PKI Certificates for ConfigMgr 2012 and converting the environment from http to https. In this Post I will continue to show the Step-by-Step process (found here) for configuring and requesting the certificates that will be used with the Configuration Manager 2012 R2 environment and the clients.
For the links to all the parts of this series see below
Part 1 – Web Server Certificate
Part 2 – Windows Computers (You are here)
Part 3– Distribution Points
Part 4 – Converting Roles
Creating and Issuing the Workstation Authentication Security Template
1. On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.
2. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.
3. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.
4. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client certificates that will be used on Configuration Manager client computers, such as ConfigMgr Client Certificate.
5. Click the Security tab, select the Domain Computers group, and select the additional permissions of Read and Autoenroll. Do not clear Enroll. Click OK and close Certificate Templates Console.
6. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
7. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Client Certificate, and then click OK.
Configuring Auto Enrollment of the Workstation Authentication Security Template
1. On the domain controller, click Start, click Administrative Tools, and then click Group Policy Management. Navigate to your domain, right-click the domain, and then select Create a GPO in this domain, and Link it here.
2. In the New GPO dialog box, enter a name for the new Group Policy, such as Autoenroll Certificates, and click OK.
3. In the results pane, on the Linked Group Policy Objects tab, right-click the new Group Policy, and then click Edit.
4. In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings / Security Settings / Public Key Policies.
5. Right-click the object type named Certificate Services Client – Auto-enrollment, and then click Properties.
6. From the Configuration Model drop-down list, select Enabled, select Renew expired certificates, update pending certificates, and remove revoked certificates, select Update certificates that use certificate templates, and then click OK.
7. Close Group Policy Management.
Auto enrolling the Workstation Authentication Security Template and Verifying its Installation on the Client Computer
1. Restart the workstation computer, and wait a few minutes before logging on.
2. Log on with an account that has administrative privileges.
3. In the search box, type mmc.exe., and then press Enter.
4. In the empty management console, click File, and then click Add/Remove Snap-in.
5. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.
6. In the Certificate snap-in dialog box, select Computer account, and then click Next.
7. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish.
8. In the Add or Remove Snap-ins dialog box, click OK.
- In the console, expand Certificates (Local Computer), expand Personal, and then click Certificates. In the results pane, confirm that a certificate is displayed that has Client Authentication displayed in the Intended Purpose column, and that ConfigMgr Client Certificate is displayed in the Certificate Template column.
Close Certificates (Local Computer).