We have had a number of recent requests from our customers on the certificate requirements and configuration steps required to configure HTTPS communication in a ConfigMgr 2012 environment.

I would like to give a massive thank you to Ravi Kalwani, a member of the ANZ Microsoft ConfigMgr Premier Field Engineering (PFE) team who put this guide together.

This post contains the step-by-step configuration needed to successfully implement HTTPS communication in your ConfigMgr 2012 R2 environment.

Creating Templates for Site Systems and Clients Certificates

Create a template for ConfigMgr Clients

On the issuing Certificate Authority go to Administrative Tools and Open Certificate Authority Console

 Right Click On Certificate Templates and Click Manage to open Certificate Template Console

Now right-click on Workstation Authentication and click Duplicate Template

Make sure to use Server 2003, not 2008

We are first creating Certificate Template for ConfigMgr client Authentication Certificate, so give the Template a Name that would related to what it would generate Certificates for, I have chosen Name “ConfigMgr Client Certificate”

Click on the Security tab, select the Domain Computers group and add permissions of Read and Autoenroll, do not clear Enroll

 Now Click on the Subject Name Tab, and Select DNS name in Build from this Active Directory information, Then click OK.

 Refresh Certificate Template console to see the new template in there.

Create a template for Site Systems (MP, DP, SUP and/or WSUS)

Still in Certification Authority, in the Certificate Templates list we’ll setup the next template.Right-click on the Web Server template, and click Duplicate. On the General tab, change the Template something more appropriate like ConfigMgr Web Server Certificate. 

 Next click the Security tab, and add your SCCM server to the permissions list and add the Enroll permission.

If you were running a SCCM configuration with multiple sites and servers, it is recommended you create a SCCM Servers Active Directory Security Group. I’ve created an AD security group called ConigMgr_Servers. So I’ve added the Group with Enroll permission. 

 Now Click on the Subject Name Tab, and Select Build from this Active Directory information, and then Select DNS name. Then click OK.

Create a ConfigMgr Client template for WinPE Images

This step is only needed if you have all you MP/DP running in https. In this step we are creating a Client Authentication certificate that will be used to generate certificate for WinPE images, which will later contact MP and DP on Https.

If you don’t have all MP/DPs in HTTPs you can continue to build image via Task Sequence and WinPE images will contact HTTP MP and not HTTPS

 On the Request Handling tab select Allow private key to be exported. 

 On the Security tab add your SCCM servers group, and give Enroll permission. Click Apply, then OK.

 Now if you look at the Certificate Templates Console you will see our three new templates. 

 We can now close the Certificate Templates Console. 

Enable Certificates to be issued

Open Certificate Authority Console-> Right Click Certificate Templates-> Select New-> Certificate to Issue   

Select all three of the ConfigMgr templates we created then click OK.

 They will then show up in the Certificate Templates listing. Once you verify that, you can close the Certification Authority console. 

Create an Auto-Enrol GPO for the Client Certificate template  

Request Web Server Certificate on MP, DP and SUP

 Now we need to setup the appropriate certificates on our System Center Configuration Manager Management Point. The first thing you will need to do is reboot your SCCM server. This is so that it will pick up the permissions change that will allow it to register for the Web Server Certificate.

 Once the reboot completes, click Start > Run.  Type mmc.exe and click OK.  Click File > Add/Remove Snap-In, Choose Certificates and click Add.  Choose Computer Account, click Next.  Choose Local Computer, click Finish.  Click OK, and then expand the Certificates tree to the Personal > Certificates folder.

You may notice that your SCCM server has Auto-enrolled for and received its Client Authentication Certificate we just setup. 

 

 Leave the default on this page, and click Next           

  Once you see Status: Succeeded, Click Finish  

  Now you will be able to see both all three Certificates on Certificate Console of Site Server  

Now we need to export the Client Distribution Point Certificate while we are in the Certificates Management console. Right-click the certificate that shows template name as Certificate WinPE images and click Export. 

 Click next on the “Welcome to the Certificate Export Wizard

  Select “Yes, export the private key”, if you see this option greyed out, you probably have wrong certificate selected.

 Select “Personal Information Exchange – PCK #12 (.PFX)” and click Next

  Set a password in this screen and click next, you will need this certificate while importing it to Distribution point property.

  Select Destination where would you like to export the certificate, and give it a descriptive name.

 

Click Finish

Importing Certificates in IIS

After all the certificates have been requested we need to now import the Web Server Certificate to the Default Website and WSUS Website in IIS.
Launch IIS Manager (Start > Administrative Tools > Internet Information Services (IIS) Manager).Navigate to the Default Website, right-click it and select Edit Bindings.

 Select the https binding and click Edit

          
        
Select the https binding and click Edit. The select the ConfigMgr Web Server Certificate and then click OK. I highly recommend viewing your certificate afterwards, checking the Details tab, to ensure you selected the correct one.

 Now do the same on WSUS Website.
         
Select Appropriate Certificate (not SQL), and click OK. 

  And Click Close.
 

  Last Piece of configuration that we need to do is, manually configure five WSUS virtual directories to use SSL. The five Virtual directories are(APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService)
The Virtual directories has also been definied in the TechNet document http://technet.microsoft.com/en-us/library/bb633246.aspx          
         
Putting ApiRemoting in SSL

 Check the box Require SSL and Select Ignore under Client certificates
 

 Now do the same for rest of four Virtual directories mentioned above.

Configuring MP, DP and SUP to use SSL

 Now that we have completed all our certificates pre-requisites and ready to configure ConfigMgr Components to use SSL.  

Configuring Management Point to use SSL

Go to Management Point Property, (Open ConfigMgr console>Administration Workspace>Site Configuration>Servers and Site System Roles>Select Your Sever and Right Click on Management Point Role and Click Property.

Select HTTPs from the Client Connections options, this will kick off Reinstallation of Management Point, and reconfigure its Virtual directories to use HTTP communication only.  

 You can see MP Reinstallation happening in MPSEtup.log

Configuration Distribution Point Role to SSL

Go to Distribution Point Property, (Open ConfigMgr console>Administration Workspace>Site Configuration>Servers and Site System Roles>Select Your Sever and Right Click on Distribution Point Role and Click Property

 

Select HTTPS under Specify how client computers communicate with this distributionpoint

If you would like Clients to communicate back to DP on HTTPS even during Task Sequence than you would need to Select Import Certificate under Create a self-signed certificate or import a PKI client certificate

 Click Apply, This will reconfigure this Distribution Point virtual directory to Use Only HTTPS communication

Configure WSUS/SUP to use HTTPs

Open up command prompt in Admin Context on WSUS server and change working directory to WSUS installation path Tools directory and run following Command

WSUSUtil.exe ConfiguresSSL <Intranet FQDN of WSUS Server>

Go to Software Update Point Property, (Open ConfigMgr console>Administration Workspace>Site Configuration>Servers and Site System Roles>Select Your Sever and Right Click on Software Update Point Role and Click Property

Check the box Require SSL communication to the WSUS Server and Click Apply

 This as well will reinstall Software Update Point Role with new settings.

Site Server Settings

Change your ConfigMgr setting to ensure client communicates with HTTPs Enabled MP when there is a client authentication cert is present.
Launch ConfigMgr Console> Administration Workspace> Site Configuration> Sites> Right Click your Primary Site> Properties and Go to Client Computer Communication Tab.
Check the box “Use PKI Client certificate (client authentication capability) when available”

Review clients that have Client Authentication Cert to make
sure they are communicating to MP in HTTPs.

A Client that has ConfigMgr client cert installed will see changes made to ConfigMgr Server via Published information in Active Directory, and will switch to HTTPs if it detects a Valid Client Cert Present on Computer’s Personal Store.

References

PKI Certificate Requirements for Configuration Manager
http://technet.microsoft.com/en-us/library/gg699362.aspx

System Center 2012 Configuration Manager: R.I.P. Native Mode

http://blogs.technet.com/b/configmgrteam/archive/2012/05/25/system-center-2012-configuration-manager-r-i-p-native-mode.aspx

Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority

http://technet.microsoft.com/en-us/library/gg682023.aspx