SCCM 2012 – Security (Part 4)

SCCM 2012 – Security (Part 4)
Rate this post

Hi All,

If you missed the Part I you can find it here and Part II can be found here and Part III can be found here

today we go ahead with the Part 4 of the series of posts about security and now it is time to talk about the DP certificates.

The DP certificate is the certificate that is used by any Distribution Point Site role and need to have the private key exported with it as it will be imported during/after the creation of the role. This is also the certificate that you can use on your media when creating one.

Anyway, if you go to the documentation (http://technet.microsoft.com/en-us/library/gg699362.aspx) you’ll noticed that in a Microsoft PKI environment, the certificate that you can use as base is the Workstation Authentication, however, if you don’t want to use it, make sure that the Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2) and you’ll also see that The private key must be exportable.

Note: it is a best practices to create one certificate for each DP, but it is not a requirement as you can use same certificate for multiple DP’s.

Well…the 1st part, is to create the certificate. To do it you need:
01. Create an Active Directory Group Called ConfigMgr DP Servers and add all SCCM Servers that will have the DP role installed
DP01

02. In the Certification Authority console, right-click Certificate Templates and click Manage to load the Certificate Templates console.
cert01

03. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.
DP02

04. If your PKI is Windows Server 2012/2012 R2, In the Properties of New Template dialog box, on the Compability tab, make sure that Windows Server 2003 is selected under Certification Authority and Windows XP / Windows Server 2003 under Certificate
DP03

04. If your PKI is Windows Server 2008/2008 R2, In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.
cert01

05. In the Properties of New Template dialog box, on the General tab, enter ConfigMgr DP Server Certificate as template display name.
DP04

06. Click the Request Handling tab, and select Allow private key to be exported.
DP05

07. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.
DP06

08. Click the Security tab, and remove the Enroll and Autoenroll permission from the security groups Domain Controllers and Domain Computers.
DP07

09. Click Add, enter ConfigMgr DP Servers in the text box, and then click OK and Select the Enroll permission, and do not clear the Read permission.
DP08

10. Click OK, and close the Certificate Templates Console. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue. In the Enable Certificate Templates dialog box, select ConfigMgr DP Servers Certificate and then click OK.
DP09

Great, now that we now how to create the certificate template, we need to request the certificate, but this will be done in another post

Tags:

Comments are closed.
%d bloggers like this: