Configuration Manager/Enable SSL for SCCM

From ITHandbook

Overview

Enabling SSL can significantly improve security. But for SCCM, the steps to enable SSL are a little complicated and cumbersome. The general steps are as follows:

  • Create certificate templates for different uses.
  • Associate site servers or clients to a specific template.
  • Modify the GPO to enable certificates auto-enrollment. Some certificates require manual registration.
  • For distribution points, you need to manually export the certificate including the private key, and import it into the DP.

Requirements

  • WSUS is configured to HTTPS and uses SSL. For more information, refer to Enabling SSL on WSUS.
  • A certificate has been configured for the user.

What you should know before continuing

  • This tutorial assumes that the AD CS is installed and available.

Duplicate and create certificate templates

Duplicate and create a certificate template for IIS

 Note:
 If the site server is running IIS, is configured to use Cloud management gateway (CMG), or is hosting the SQL Server instance, this certificate is required.
Typically, all site servers require this certificate.

Open the CA console from the Start Menu, right-click Certificate Templates of the left pane, then select Manage.

Right-click Web Server and select Duplicate Template.

Switch to General tab, enter a friendly name for the template.

Switch to Security tab, add a group that contains the site servers.

In Permissions section, check Read, Enroll and Autoenroll in the Allow column.

Click OK to save the template and close the window.

Duplicate and create a certificate template for monitoring and distribution points

 Note:
 If the site server has a distribution point installed, or the monitoring function enabled, this certificate is required.

Open the CA console from the Start Menu, right-click Certificate Templates of the left pane, then select Manage.

Right-click Workstation Authentication and select Duplicate Template.

Switch to General tab, and enter a friendly name for the template.

Switch to Request Handling tab and check Allow private key to be exported.

Switch to Security tab, add a group that contains the site servers that have a distribution point installed.

In Permissions section, check Read, Enroll and Autoenroll in the Allow column.

For security, select Domain Computers group and click Remove.

Click OK to save the template and close the window.

Duplicate and create a certificate template for all clients

 Note:
 If the devices have a client installed, this certificate is required to establish an SSL connection.

Open the CA console from the Start Menu, right-click Certificate Templates of the left pane, then select Manage.

Right-click Workstation Authentication and select Duplicate Template.

Switch to General tab, enter a friendly name for the template.

File:MS ADCS Duplicate Workstation Authentication Template Security 2.png

Switch to Security tab, and select Domain Computers, or add and select the group that contains the specific device.

In Permissions section, check Read, Enroll and Autoenroll in the Allow column.

Click OK to save the template and close the window.

Enable Certificate Templates

Back to the CA console, right-click Certificate Templates of the left pane, then select New → Certificate Template to Issue.

Select the templates and click OK.

Modify the group policy for certificate auto-enrollment

You need to create a GPO or modify an existing GPO under the OU that contains the site servers or clients.

For more information, refer to Create or modify group policy for auto enrollment.

Manually enroll IIS certificate

The certificate for IIS needs to be enrolled manually because we selected Supply in the request.

Press Windows + R keyboard shortcuts, enter certlm.msc and press ENTER.

Right-click Personal, then select All Tasks → Request New Certificate to start the Wizard.

Click Next on the "Before You Begin" screen.

Click Next on the "Select Certificate Enrollment Policy" screen.

Select the IIS template, then click the warning message to open the "Certificate Properties" window.

In the Alternative name section, select DNS for type, then add the server name and FQDN in the Value box.

Click OK to save the changes and close the window.

Click Enroll to proceed.

Click Finish to exit the wizard.

Verify that the certificate has been enrolled

Press Windows + R keyboard shortcuts, enter certlm.msc and press ENTER.

  • For each site server, there should be an IIS certificate.
  • For each site server that has a distribution point installed, there should be a DP certificate.
  • For the devices that have the client installed, there should be a Client certificate.

Export the DP certificate and import to a distribution point

Export the DP certificate

Select and right-click the desired certificate, and then select All Tasks → Export....

In the Welcome screen, click Next to proceed.

Select Yes, export the private key and click Next.

In the Export File Format screen, click Next to proceed.

Select Password, then provide a strong password and click Next.

Click Browse to specify an export path and the certificate's name.

Click Finish and click OK to exit the wizard.

Import to a distribution point

Open the Configuration Manager console and go to the Administration → Site Configuration → Servers and Site System Roles.

Select the desired server, in the Site System Roles pane, right-clickDistribution Point and select Properties.

Switch to Communication tab.

In the Import certificate option, click Browse to select a certificate and enter the password, then click OK to save the changes and close the window.

Retrieved from "https://www.ithandbook.org:443/index.php?title=Configuration_Manager/Enable_SSL_for_SCCM&oldid=2152"