19- Configuration Manager HTTPS Communication and PKI Certificate Part 1

In this post, I will explained how I converted my existing Configuration Manager communication from HTTP to HTTPS. In this implementation, I have only one management point which serves both internet and intranet clients. I am assuming you already have an Active Directory Enterprise Certification Authority in your environment. 

First We need to make sure CRL files are accesible over HTTP. So We will configure CRL Distribution Point. Normally, you shouldn't do this on issuing CA for security purposes. CRL should be published on a seperate system designated for that role.

Start Certification Authority and right click yourorganization.SERVER-CA

Select Extensions tab and select http://.... from the CDP List.

Make sure you also select Include in CRLs and Include in the CDP extension of issued certificates checkboxes.

Click Apply and OK. Restart the Active Directory Certificate Services.

We need 3 certificates for Configuration Manager HTTPS communication. Now we will create them.

a-Web Server Certificate

b-Client Certificate

c-Client Certificate for Distribution Points

Web Server Certificate:

This certificate will be used by Configuration site systems. Lets start creating a security group and add our site systems which run IIS as  members of this group. 

Open up Certification Authority and right click the Certificate Templates choose Manage.

Right click the Web Server certificate template and choose Duplicate Template

Select Windows Server 2003 Enterprise

Give a name to the new certificate template

Open Request Handling Tab and make sure  Supply in the request radio button is selected

 Click the Security Tab, remove Enroll from Domain and Enterprise Admins Group.

Click Add button and add SCCM Site Servers Group. Make sure Enroll and Read permissions are selected for this group. Apply and OK.

Close the window and return to main window of Certification Authority Console. Right click Certificate Template, select New, Choose Certificate template to Issue.

In Enable Certificate Templates window, Select the new template you just created. We are finished with CA fro now.

Request Web Certificate for IIS:

These procedure must be done on your IIS Server. Restart your IIS Server in order to make Server to get the new certificate template (ConfigMgrWebCertificate). Then start a MMC console Add certificate Snap-In for Computer Account.

 Choose Local Computer

Right click the Personal/Certificates/All Tasks/Request New Certificate

 On Select Certificate Enrollment Policy page, just click Next

Click the "More Information is required..." link

Under the Subject Tab, Change Alternative name Type as DNS. Type your local site server address into Value box and click Add. Then type your  internet site server address into Value box and click Add. Click Apply and Ok

Select web server certificate and click the Enroll button.

Configuring IIS:

We need to bind the installed certificate to the Default Web Site. On our Site System on which IIS runs, open control panel and select Administrative Tools and start IIS. Right click on Default Web Site and select "Edit Bindings".

 Select https and click Edit.

Select the certificate that we created for Web Server and click OK. Close IIS.

At this point, we need to create 2 more certificates. In Part 2, I am going to show you how to create Client Certificate step by step.