SCCM 2012 – Security (Part 3)
today we go ahead with the Part 3 of the series of posts about security and now it is time to talk about the web certificates.
The web certificate is the certificate that is used by any SCCM Site role that used IIS (well…not any as FSP will not use certificate as it only accept non-encrypted traffic).
Anyway, if you go to the documentation (http://technet.microsoft.com/en-us/library/gg699362.aspx) you will notice that the following services/site roles need web certificate: Management point, Distribution point, Software update point, State migration point, Enrollment point, Enrollment proxy point, Application Catalog web service point, Application Catalog website point, Cloud-based distribution point, Network Load Balancing (NLB) cluster for a software update point**, Site system servers that run Microsoft SQL Server, SQL Server cluster: Site system servers that run Microsoft SQL Server and the Certificate purpose is server authentication.
Note: NLB for Software Update Point only applied to a SCCM 2012 without any Service Pack. if you’re using SCCM 2012 SP1 or R2, you will not use NLB for SUP anymore.
Note2: In this post, we’ll be focusing on the following site roles: Management point, Distribution point, Software update point, State migration point, Enrollment point, Enrollment proxy point, Application Catalog web service point, Application Catalog website point, Cloud-based distribution point
In a Microsoft PKI environment, the certificate that you can use as base is the Web Server, however, if you don’t want to use it, make sure that you add Server Authentication (18.104.22.168.22.214.171.124.1) to the Enhanced Key Usage.
04. If your PKI is Windows Server 2012/2012 R2, In the Properties of New Template dialog box, on the Compability tab, make sure that Windows Server 2003 is selected under Certification Authority and Windows XP / Windows Server 2003 under Certificate
09. Click OK, and close the Certificate Templates Console. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue. In the Enable Certificate Templates dialog box, select ConfigMgr Web Servers Certificate and then click OK.
Great, now that we now how to create the certificate template, we need to request the certificate, do this on the each computer running the IIS
01. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in.
02. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add. In the Certificate snap-in dialog box, select Computer account, and then click Next.
08. On the Request Certificates page, identify the ConfigMgr Web Server Certificate from the list of displayed certificates, and then click More information is required to enroll for this certificate. Click here to configure settings.
09. In the Certificate Properties dialog box, in the Subject tab, do not make any changes to the Subject name. This means that the Value box for the Subject name section remains blank. Instead, from the Alternative name section, click the Type drop-down list, and then select DNS. and In the Value box, specify the FQDN name of the server (ie SCCMSERVER.COMPANY.LOCAL) and click Add. Repeat the step for for any other name that is needed, ie. if the server will also be connected from the internet, you will need to add the internet name
12. Close Certificates (Local Computer).
Now it is time to configure the IIS (I’m doing it on a Windows server 2012 R2, older versions the steps may be different)
01. click Start, click Programs, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
05. Open Internet Explorer and navigate to the HTTPS Site using one of the DNS entries that was used to create the certificate (ie. https://sccmserver.company.local). Confirm that there is no certificate issue and the website opens without any problem