
Hi All,
If you missed the Part I you can find it here and Part II can be found here
today we go ahead with the Part 3 of the series of posts about security and now it is time to talk about the web certificates.
The web certificate is the certificate that is used by any SCCM Site role that used IIS (well…not any as FSP will not use certificate as it only accept non-encrypted traffic).
Anyway, if you go to the documentation (http://technet.microsoft.com/en-us/library/gg699362.aspx) you will notice that the following services/site roles need web certificate: Management point, Distribution point, Software update point, State migration point, Enrollment point, Enrollment proxy point, Application Catalog web service point, Application Catalog website point, Cloud-based distribution point, Network Load Balancing (NLB) cluster for a software update point**, Site system servers that run Microsoft SQL Server, SQL Server cluster: Site system servers that run Microsoft SQL Server and the Certificate purpose is server authentication.
Note: NLB for Software Update Point only applied to a SCCM 2012 without any Service Pack. if you’re using SCCM 2012 SP1 or R2, you will not use NLB for SUP anymore.
Note2: In this post, we’ll be focusing on the following site roles: Management point, Distribution point, Software update point, State migration point, Enrollment point, Enrollment proxy point, Application Catalog web service point, Application Catalog website point, Cloud-based distribution point
In a Microsoft PKI environment, the certificate that you can use as base is the Web Server, however, if you don’t want to use it, make sure that you add Server Authentication (1.3.6.1.5.5.7.3.1) to the Enhanced Key Usage.
Well…the 1st part, is to create the certificate. To do it you need:
01. Create an Active Directory Group Called ConfigMgr Web Servers and add all SCCM Servers that uses IIS
02. In the Certification Authority console, right-click Certificate Templates and click Manage to load the Certificate Templates console.
03. In the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template.
04. If your PKI is Windows Server 2012/2012 R2, In the Properties of New Template dialog box, on the Compability tab, make sure that Windows Server 2003 is selected under Certification Authority and Windows XP / Windows Server 2003 under Certificate
04. If your PKI is Windows Server 2008/2008 R2, In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.
05. In the Properties of New Template dialog box, on the General tab, enter ConfigMgr Web Server Certificate as template display name.
06. Click the Subject Name tab, and make sure that Supply in the request is selected.
07. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.
08. Click Add, enter ConfigMgr Web Servers in the text box, and then click OK and Select the Enroll permission, and do not clear the Read permission.
09. Click OK, and close the Certificate Templates Console. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue. In the Enable Certificate Templates dialog box, select ConfigMgr Web Servers Certificate and then click OK.
Great, now that we now how to create the certificate template, we need to request the certificate, do this on the each computer running the IIS
01. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in.
02. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add. In the Certificate snap-in dialog box, select Computer account, and then click Next.
03. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish and In the Add or Remove Snap-ins dialog box, click OK.
04. In the console, expand Certificates (Local Computer), and then click Personal.
05. Right-click Certificates, click All Tasks, and then click Request New Certificate.
06. On the Before You Begin page, click Next.
07. If you see the Select Certificate Enrollment Policy page, click Next.
08. On the Request Certificates page, identify the ConfigMgr Web Server Certificate from the list of displayed certificates, and then click More information is required to enroll for this certificate. Click here to configure settings.
09. In the Certificate Properties dialog box, in the Subject tab, do not make any changes to the Subject name. This means that the Value box for the Subject name section remains blank. Instead, from the Alternative name section, click the Type drop-down list, and then select DNS. and In the Value box, specify the FQDN name of the server (ie SCCMSERVER.COMPANY.LOCAL) and click Add. Repeat the step for for any other name that is needed, ie. if the server will also be connected from the internet, you will need to add the internet name
10. On the Request Certificates page, select ConfigMgr Web Server Certificate from the list of displayed certificates, and then click Enroll.
11. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish.
12. Close Certificates (Local Computer).
Now it is time to configure the IIS (I’m doing it on a Windows server 2012 R2, older versions the steps may be different)
01. click Start, click Programs, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
02. Expand Sites, right-click Default Web Site, and then select Edit Bindings.
03. Click the https entry, and then click Edit. (if the https entry does not exist, click add)
04. In the Edit Site Binding dialog box, select the certificate that you requested by using the ConfigMgr Web Server Certificates template, and then click OK twice and then click close.
05. Open Internet Explorer and navigate to the HTTPS Site using one of the DNS entries that was used to create the certificate (ie. https://sccmserver.company.local). Confirm that there is no certificate issue and the website opens without any problem