In this post we will see the steps for deploying the client certificate for distribution points. This is one of the posts of Deploy PKI Certificates for SCCM 2012 R2 Step by Step Guide. In the previous post we understood more about PKI certificate requirements, deploying web server certificate for site systems that run IIS, deploying client certificates for windows computers. The next step is to deploy the client certificate for distribution points.
This certificate server two purposes. The certificate is used to authenticate the distribution point to an HTTPS-enabled management point before the distribution point sends status messages. When the Enable PXE support for clients distribution point option is selected, the certificate is sent to computers that PXE boot so that they can connect to a HTTPS-enabled management point during the deployment of the operating system. You can log in with a root domain administrator account or an enterprise domain administrator account and use this account for all procedures in this example deployment.
This certificate deployment has the following procedures:
- Creating and Issuing a Custom Workstation Authentication Certificate Template on the Certification Authority
- Requesting the Custom Workstation Authentication Certificate
- Exporting the Client Certificate for Distribution Points
Creating and Issuing a Custom Workstation Authentication Certificate Template on the Certification Authority
On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.
In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.
In the Duplicate Template dialog box, ensure that Windows 2003 Server is selected.
In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client authentication certificate for distribution points, such as SCCM Client Distribution Point Certificate.
Click the Request Handling tab, and select Allow private key to be exported.
Click Add, enter SCCM IIS Servers in the text box, and then click OK. Select the Enroll permission for this group, and do not clear the Read permission. Click OK and close Certificate Templates Console.
In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
In the Enable Certificate Templates dialog box, select the new template that you have just created, SCCM Client Distribution Point Certificate, and then click OK.
Requesting the Custom Workstation Authentication Certificate
This procedure requests and then installs the custom client certificate on to the member server that runs IIS and that will be configured as a distribution point. Run the mmc command to launch the Certificate snap-in dialog box, select Computer account and then click Next. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish.In the Add or Remove Snap-ins dialog box, click OK. In the console, expand Certificates (Local Computer), and then click Personal. Right-click Certificates, click All Tasks, and then click Request New Certificate.
On the Request Certificates page, select the SCCM Client Distribution Point Certificate from the list of displayed certificates, and then click Enroll.
On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish.
In the results pane, confirm that a certificate is displayed that has Client Authentication displayed in the Intended Purpose column, and that SCCM Client Distribution Point Certificate is displayed in the Certificate Template column.
Exporting the Client Certificate for Distribution Points
In the Certificates (Local Computer) console, right-click the certificate that you have just installed, select All Tasks, and then click Export.
In the Certificates Export Wizard, click Next. On the Export Private Key page, select Yes, export the private key, and then click Next.
On the Export File Format page, ensure that the option Personal Information Exchange – PKCS #12 (.PFX) is selected. Click Next.
On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next.
On the File to Export page, specify the name of the file that you want to export, and then click Next.
To close the wizard, click Finish in the Certificate Export Wizard page, and click OK in the confirmation dialog box. Close Certificates (Local Computer). The certificate is now ready to be imported when you configure the distribution point.
Deploying the Client Certificate for Distribution Points
Now that we have got the client certificate for distribution points, let’s assign them to the DP’s. Right click on the DP and under General tab, choose HTTPS and to import the certificate click on Browse. Import the certificate that you have exported in the above steps, provide the password and click OK.
For other roles, you may not be able to switch from HTTP to HTTPS as the options are greyed out. For example on Application catalog web service point, the options are greyed out. You have to uninstall both App catalog website point and App catalog web service point role and install the roles again.
When you are reinstalling the App catalog web service point, you can now specify how App catalog website communicates with App catalog web service point. Choose HTTPS this time.
The same goes for App catalog website point. Choose HTTPS here. Click Next.
In the Configuration Manger console, navigate to Administration > Overview > Site Configuration > Sites. Right click on the site server and click Properties. Under site system settings, choose HTTPS only and click OK.
Login to one the computers which has Configuration Manager client installed. Look under General tab of configuration manager client properties. You will notice that Client Certificate is changed from self-signed to PKI.