With Configuration Manager 2012 you are able to secure your Configuration Manager infrastructure with certificates per Site System Role instead of whole Configuration Manager Sites in Configuration Manager 2007. Let’s look at how you are able to enable secure communications to and between the site system roles in Configuration Manager 2012.
First you need to ensure that a Public Key Infrastructure is present in your environment and that you are able to enroll PKI certificates. After the PKI is there and tested you can follow the global steps described below: (http://technet.microsoft.com/en-us/library/gg682023.aspx)
Creating a Web Service Certificate for Site Systems that run IIS
- Create a “Configuration Manager 2012 site systems” Certificate Template by copying it from the Web Server Template
- Request and enroll the Web Server certificate on the Configuration Manager 2012 Site Servers from the “Configuration Manager 2012 site systems” template
- Configure IIS to use the created certificate.
Deploying the client certificates for the computers
- Create and issue a Workstation authentication certificate
- Configure and enabling auto enrollment of the client certificates
Deploying Certificates for Mobile Devices
- Create a “Configuration Manager 2012 site systems” Certificate Template by copying it from the Authenticated Session Template
- Create a new template for ConfigMgr Mobile Device Enrollment Certificate.
Per site role you are able to configure if it needs to communicate secure via HTTPS or via HTTP. Roles like the Management Point, Distribution Point are configurable like shown below.
To configure the Site to use secure communications, you are able to configure the settings at the client computer communications at the Site properties of the Primary Site or Central Administration Site. In my lab I only secured the primary site like shown below.
When enabling “HTTPS” for a site do not forget to configure the protocols for the SQL Server also to use the certificate of the SCCM site server. Otherwise the Configuration Manager is not able to communicate with SQL Database and your eventlog will fillup with Schannel errors.
In the next blog I will write about some issues I ran into and the resolutions to get the secure communications right.
April 30, 2012 @ 16:04
Hello! We are currently migrating from SCCM 2007 to SCCM 2012 and are updating our certificates. I followed the guide provided by Microsoft but I seem to be getting a permissions error. The exact error is, “Certificate enrollment for Local system failed to enroll for a MYCERT certifiate request ID 7122 from MYCASERVER (The permissions on the certificate template do not allow the current user to enroll for this type of certificate.)” Any help would be appreciated. Thanks!
May 3, 2012 @ 15:36
Did you see this blog? http://blogs.technet.com/b/configmgrteam/archive/2009/04/29/resolving-certreq-errors-key-size-and-user-permissions.aspx