Home > ConfigMgr 2012 > PKI Certificates for Configuration Manager 2012 R2 – Part 3/4 (Distribution Points)

PKI Certificates for Configuration Manager 2012 R2 – Part 3/4 (Distribution Points)

Welcome to part 2 of 4 in PKI Certificates for ConfigMgr 2012 and converting the environment from http to https. In this Post I will continue to show the Step-by-Step process (found here) for configuring and requesting the certificates that will be used with the Configuration Manager 2012 R2 environment and the clients.

For the links to all the parts of this series see below

Part 1 – Web Server Certificate

Part 2 – Client Certificate for Windows Computers

Part 3 – Distribution Points (You are here)

Part 4 – Converting Roles


Creating and Issuing a Custom Workstation Authentication Certificate Template on the Certification Authority

1. On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.


2. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.


3. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.


4. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client authentication certificate for distribution points, such as ConfigMgr Client Distribution Point Certificate.


5. Click the Request Handling tab, and select Allow private key to be exported.


6. Click the Security tab, and remove the Enroll permission from the Enterprise Admins security group.


7. Click Add, enter ConfigMgr IIS Servers in the text box, and then click OK.


8. Select the Enroll permission for this group, and do not clear the Read permission. Click OK and close Certificate Templates Console.


9. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.


10. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Client Distribution Point Certificate, and then click OK.


11. If you do not have to create and issue any more certificates, close Certification Authority.

Requesting the Custom Workstation Authentication Certificate


This procedure requests and then installs the custom client certificate on to the member server that runs IIS and that will be configured as a distribution point.

1. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in.


  1. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.


  1. In the Certificate snap-in dialog box, select Computer account, and then click Next.


  1. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish.


  1. In the Add or Remove Snap-ins dialog box, click OK.


  1. In the console, expand Certificates (Local Computer), and then click Personal. Right-click Certificates, click All Tasks, and then click Request New Certificate.


  1. On the Before You Begin page, click Next.


  1. If you see the Select Certificate Enrollment Policy page, click Next.


  1. On the Request Certificates page, select the ConfigMgr Client Distribution Point Certificate from the list of displayed certificates, and then click Enroll.


  1. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish.


  1. In the results pane, confirm that a certificate is displayed that has Client Authentication displayed in the Intended Purpose column, and that ConfigMgr Client Distribution Point Certificate is displayed in the Certificate Template column.


  1. Do not close Certificates (Local Computer).

Exporting the Client Certificate for Distribution Points

1. In the Certificates (Local Computer) console, right-click the certificate that you have just installed, select All Tasks, and then click Export.


2. In the Certificates Export Wizard, click Next.


3. On the Export Private Key page, select Yes, export the private key, and then click Next.


If this option is not available, the certificate has been created without the option to export the private key. In this scenario, you cannot export the certificate in the required format. You must reconfigure the certificate template to allow the private key to be exported, and then request the certificate again.

4. On the Export File Format page, ensure that the option Personal Information Exchange – PKCS #12 (.PFX) is selected. Click Next.


  1. On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next.


  1. On the File to Export page, specify the name of the file that you want to export, and then click Next.


  1. To close the wizard, click Finish in the Certificate Export Wizard page, and click OK in the confirmation dialog box.


8. Close Certificates (Local Computer).

9. Store the file securely and ensure that you can access it from the Configuration Manager console. The certificate is now ready to be imported when you configure the distribution point.


Categories: ConfigMgr 2012
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: