Move ConfigMgr Site to HTTPS Communication (Part-I)
by Ginu
About
In this article, we will move our SCCM Site to HTTPS Communication. We will cover ConfigMgr HTTPS Configuration in two parts. In Part 1 we will perform below steps and remaining SCCM configuration will be covered in Part 2.
Article Covers:
- Create Certificate Template for MP/ SUP, DP, & ConfigMgr Clients.
- Issuing Certificates for MP/ SUP, DP, & ConfigMgr Client
- Enabling Certificate Services Client –Auto-Enrollment GPO for Client Authentication Certificate:
- Requesting Web Server Certificate and Client Authentication Certificate for MP, DP and SUP.
- Exporting Certificates for MP/SUP and DP:
- Binding Certificates in IIS for MP and SUP/WSUS
STEP 1: Create Certificate Template for MP/ SUP, DP, & ConfigMgr Clients.
- Create Web Server Template for MP and SUP
- Click Start -> Run. Type-in mmc and click Ok.
- Click File -> Add/Remove Snap-In,
- Now add Certificate Templates & Certification Authority (Local) snap-ins.
- Under Certificate Template, right click on Web Server and click on Duplicate Template.
Note: We will use same Web Server Certificate for both MP and SUP.
- In the Duplicate Template dialog box, ensure that Windows 2003 Server Enterprise Edition is selected and choose OK.
- On General tab, enter Template Display Name.
- On Subject Name tab make sure that “Supply in the request” is selected.
- Under Security Tab, add your ConfigMgr servers Security group that has the member servers to install System Center Configuration Manager site systems that will run IIS or server FQDN where MP, WSUS is installed and give Enroll Permission. Click OK.
2. Create Workstation Authentication Certificate for Distribution Point
- Now we will create certificate template for our Distribution Point. Right click on Workstation Authentication and click on Duplicate Template.
- In the Duplicate Template dialog box, ensure that Windows 2003 Server Enterprise Edition is selected and choose OK.
- On General tab, enter Template Display Name.
- On Request Handling , select “Allow Private Key to be exported”
- Under Security Tab, add your ConfigMgr servers Security group that has the member servers to install System Center Configuration Manager site systems that will run IIS or server where DP is installed and give Enroll Permission. Click Ok.
3. Create Workstation Authentication Certificate for ConfigMgr Clients.
- Lastly, we will create Certificate Template for SCCM Client machines.
- Right click on Workstation Authentication and click on Duplicate Template.
- In the Duplicate Template dialog box, ensure that Windows 2003 Server Enterprise Edition is selected and choose OK.
- On General tab, enter Template Display Name.
- Under Security Tab, select the Domain Computers group and then select the additional permissions of Read and Autoenroll. Do not clear Enroll. Click Ok.
STEP 2: Issuing Certificates for MP/ SUP, DP, & ConfigMgr Client
- Under Certification Authority (Local) tab, Right Click Certificate Template -> New -> Certificate Template to Issue
- Select the Certificate Template we created above and click Ok.
STEP 3: Enabling Certificate Services Client –Auto-Enrollment GPO for Client Authentication Certificate: While creating Client Authentication Certificate Template above we have given “Autoenroll” permission for Domain Computers. So we need to enable Enabling Certificate Services Client policy so that workstation machines can receive Client Authentication Certificates automatically once Group Policy is updated on them.
- Open Group Policy Management. Go to your domain -> right-click the domain -> choose Create a GPO in this domain, and Link it here.
Note: When you assign this Group Policy at the domain level, you will apply it to all computers in the domain. In a production environment, you can restrict the autoenrollment so that it enrolls on only selected computers. You can assign the Group Policy at an organizational unit level, or you can filter the domain Group Policy with a security group so that it applies only to the computers in the group. If you restrict autoenrollment, remember to include the server that is set up as the management point.
- Enter GPO Name GPO -> Click OK.
- Edit newly created GPO.
- Navigate to Path -> Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies.
- Right click “Certificate Services Client – Auto-Enrollment” -> Properties.
- Change the Configuration Model to Enabled, and Select the “Update certificates that use certificate templates”. Click OK.
STEP 4: Requesting Web Server Certificate and Client Authentication Certificate on servers hosting MP, SUP and DP Roles.
- Click Start -> Run. Type-in mmc and click Ok.
- Click File -> Add/Remove Snap-In, Now add Certificate snap-ins.
- Right under Certificates tab -> All Tasks -> Request New Certificate
- Click Next on both Certificate Enrollment Pages.
- Click on “More information is required to enroll for this certificate. Click here to configure settings” under Web Server Certificate for MP/SUP.
- On Certificate Properties, leave Subject Name blank as it is.
Under Alternative Name section, select Type DNS from Drop Down. Enter the FQDN value of site system hosting MP/WSUS. Click Add and then Ok to save the settings.
- Select Certificates issued for MP, SUP and DP. Click on Enroll.
- Click Finish on next page once the enrollment is completed.
STEP 5: Exporting Certificate for Distribution Point: We need to export Distribution Point certificate to configure on Distribution Point Properties.
- Right click Distribution Point Certificate -> All Tasks -> Export
- Click Next on “Welcome to the Certificate Export Wizard”.
- Select “Yes, export the private key”.
- Select “Personal Information Exchange – PKCS #12 (.PFX)” format and keep default selected check boxes.
- Enter Password on Next.
- Specify a location to export certificate. Click Finish.
Step 6: Binding Certificates in IIS for MP and SUP/WSUS
- Open IIS Manager. Open Run -> Type-In inetmgr.
- Under Default Web Site -> Click on Bindings -> On Site Bindings Pop Up Select https binding -> Click Edit.
- Select the Web Server Certificate. Click on View button to make sure correct certificate is selected. Click Ok and Close.
- Now navigate to WSUS Administration Website and bind the Web Server Certificate on https like we did above.
- Additional we need enable SSL Settings for 5 WSUS Virtual Directories. “APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, & SimpleAuthWebService”
Select APIRemoting30 -> Click on SSL Settings.
- On SSL Settings, Check “Require SSL” option and Keep Client certificates to “Ignore”. Click Apply
- Perform the same for remaining Virtual directories “ClientWebService, DSSAuthWebService, ServerSyncWebService, & SimpleAuthWebService”.
- Close the IIS Manager.
Now we are done with all certificate and IIS prerequisites for HTTPS communication. We will move onto Part 2 for SCCM Configuration on HTTPS.