Configuring SCCM 2012 for PKI and SSL: Setting up HTTPS communication

Recently, I’ve begun a rather large and complex SCCM implementation for a customer here in Seattle.  One of the requirements that they have is managing their rather extensive fleet of Apple laptops.  As you know, SP1 introduced OS X support, and that has expanded with R2.  However, I have never implemented this, and I was worried doing so might be a bit tricky.

This is my attempt at a soup-to-nuts guide at setting it up. As you know, PKI is a requirement for managing macs, but you should be using SCCM in SSL-mode anyway. But why? I often here people state that they don’t need encryption on a bunch of info about Windows patches etc. While this is true, it misses the point, and encryption is only a by-product of what we’re really after: authentication. SCCM is a very powerful tool, used to manage the configuration of your entire environment. Authenticating the servers that are doing the managing to the systems that are being managed is important.

Enough on that. For starters, I’ll assume the following:

  • A windows domain
  • SCCM 2012 R2 installed and basic configurations completed
  • Active Directory Certificate Services is installed and configured

If you’ve not set up a domain or installed ADCS before, good luck with that.  I’ll try to look around for a good guide and post, but that is beyond the scope of this guide.  You can review the basic of ADCS here: http://technet.microsoft.com/en-us/library/hh831740.aspx

If you’ve not installed SCCM before, I highly recommend you check out MVP Niall Brady’s guides here: http://www.windows-noob.com/forums/index.php?/topic/4045-system-center-2012-configuration-manager-guides/

Clear?  Great!  Let’s get started.  We’ll need a few certs to put our site into HTTPS mode, so we’ll start by creating those here:

Workstation Client Certificate

From Server Manager, open the Certificate Authority MMC snap-in and connect to your CA.  Right-Click Certificate Templates and select Manage to bring up the templates snap-in.

Image

We’ll need to duplicate a certificate template so we have a starting point, then deploy it to our member computers via GPO (or some other tool presumably).  Select the Workstation Authentication template and select Duplicate Template.

Image

Next, select the earliest operating system you’d like the template to be compatible with.  You must select the Windows 5.1 family of OS with SCCM SP1 and newer, because this uses a version 2 template, not a version 3 template, which is incompatible with SCCM 2012.  The version 3 templates create certain issues and are not supported.

Image

Under the Security tab, add to Domain Computers (or whatever computers you will manage, all of them, right?) the ability to Read, Enroll, and Autoenroll the cert.  You can also rename the cert under the General tab.  Apply and close.

ImageImage

Next, back at the Certificate Authority MMC, Right-click Certificate Templates, and select New -> Certificate Template to Issue.

Image

Select the template you just created.

Image

Next, you’re ready to deploy this to your member computers.  In this example, we’ll accomplish this using group policy.  Open the Group Policy Management utility and connect to your domain.  Right-click the appropriate domain or OU and create a new group policy object.  Right-Click the the new object and select Edit.

Image

Image

Navigate down to Computer Configuration – Policies – Windows Settings – Security Settings – Public Key Policies.

Image

Configure the policies to enroll the certificate.

Image

Close the group policy editor.  After a policy refresh, you should now see your certificate enrolled in the personal store on member computers.

Image

Web Server Certificate

Next, let’s create and install the web server cert.  Being by going to the Certificate Authority MMC snap-in and connecting to your CA.  Right-Click Certificate Templates and select Manage to bring up the templates snap-in.

Image

Next, right-click and select Duplicate Template for the web server cert.

2014-03-18 13_41_32-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

2014-03-18 14_04_52-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

Configure the SCCM computer account to have both the Read and Enroll permissions under the Security tab.  Any SCCM site system that uses IIS will need one of these certs, so you may want to consider putting in a security group if there are many.

2014-03-18 13_45_28-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

Ensure that the Supply in the request radio button is selected in the Subject Name tab.

2014-03-18 13_46_08-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

Next, issue the cert.

2014-03-18 13_46_51-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

2014-03-18 13_47_18-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

Now we are ready to install the cert on the SCCM server, and configure it accordingly.  On the SCCM server, open MMC and add the Certificates snap-in for the local computer.  Navigate down to the Personal cert store, right-click and select Request New Certificate.

2014-03-18 14_31_59-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

This will begin the certificate enrollment wizard, and you will be able to find and select the cert we just published.

2014-03-18 14_10_29-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

2014-03-18 14_32_44-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

2014-03-18 14_33_14-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

On this screen, you’ll need to click the warning message and configure the cert for your SCCM server.

Under the Subject tab, it is important not to make any changes to the subject name of the cert.  Under alternative name, we’ll add the FQDN of the server.  Even if you are not going to be punching a hole in your firewall and placing the site server out there for internet clients to talk to, this is a requirement to manage OS X machines, so input this information into the cert.  Click OK, and then Enroll.

2014-03-19 13_29_17-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

2014-03-19 13_29_56-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

2014-03-19 13_30_24-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

Lastly, for this cert, we’ll configure IIS to now use the cert we’ve installed.  On the SCCM Web Server open Internet Information Services (IIS) Manager.  Expand Sites, select your site (usually ‘Default Web Site’) and select Bindings.

2014-03-19 13_40_33-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

Select the HTTPS entry and Edit.  Select the new cert and click OK and Close.  At this point, you should now be able to successfully browse to your site using the FQDN and https with no certificate errors.  Repeat this process for each SCCM site server.

2014-03-19 13_43_37-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

2014-03-19 13_55_08-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

Client Certificate for Distribution Points

OK, back the CA to duplicate another template.  The template you need this time is the Workstation Authentication template.  This certificate will be used for computer authentication by your distribution points.  Rather than reusing the workstation cert we created earlier (and making every single cert’s private key exportable), we’re going to create a new one to use.

2014-03-19 14_28_47-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

Once again, make sure to select ‘Windows Server 2003’ for earliest OS so you use the version 2 template.

2014-03-19 14_29_13-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

Next, we’ll give permissions for requesting this cert.  This will be needed on site servers that are distribution points.  On the security tab select Read and Enroll for your SCCM Server(s).  Also, clear the Enroll for Enterprise Admins.

2014-03-19 14_31_09-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

On the Request Handling tab select the option for Allow private key to be exported.

2014-03-19 14_29_40-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

Back in the CA console, select Action, New and Certificate Template to Issue. Choose your new SCCM Client Certificate for Distribution Points and issue it.

2014_03_19_14_41_29_sunsetlabs.no_ip.biz_sunsetlabs.no_ip.biz

2014-03-19 14_54_44-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

Back on the SCCM site servers (the DPs), open MMC and add the Certificate snap-in for Local Computer.  Right-click on the personal certificate store and Request New Certificate. Select the new client cert for distribution points you created.

2014-03-19 15_02_50-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

2014-03-19 15_04_31-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

2014-03-19 15_04_57-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

2014-03-19 15_05_23-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

After that right-click and Export the certificate with the private key as shown here:

2014-03-19 15_06_20-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

2014-03-19 15_06_39-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

Be sure to secure it with a password so that ConfigMan can access it later.

2014-03-20 14_59_46-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

Save this cert somewhere that you can get to later for when you configure it in SCCM.  Repeat this process for each DP.

Root CA Certificate

The clients should now be able to communicate with the site systems via HTTPS, but there is one missing piece: SCCM defines the certificate authority, and the default install is for the self-signed certificates that SCCM generates.  Now we need to export the root CA cert so that it can be imported into SCCM.

From the CA server, export the Root CA Certificate as a DER encoded binairy X.509 (.CER) Certificate.

2014-03-20 09_15_30-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

2014-03-20 09_15_58-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

2014-03-20 09_16_17-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

2014-03-20 09_18_56-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

2014-03-20 09_19_56-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

2014-03-20 09_20_37-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

This concludes the OS layer and CA configurations that need to be done.  Next, we’ll configure everything on the SCCM application layer.

Site Server Configurations

With all the certificates in place we should now be able to change the client to communicate over HTTPS with our PKI instead of HTTP and a self-signed certificate.

In the SCCM console go to Administration -> Overview -> Site Configuration > Sites and select your Site.  Right-click and select Properties.

2014-03-20 09_28_22-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

Go to the tab Client Computer Communication and import the Root CA Certificate under Trusted Root Certification Authorities.

2014-03-20 09_29_25-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

2014-03-20 09_30_02-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

Next, under change the setting to HTTPS Only. If you still have clients with HTTP then you can select HTTP or HTTPS and then systems will be allowed in sort of a mixed mode.  If you have multiple MPs and need to control which systems talk to which site server, then this may be the route to go.  Here, we have a cert for all of our Windows computers, and we’re trying to support Apple computers as well, so we’ll select HTTPS.

2014-03-20 09_30_46-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

Then click apply and close the box.  You’ll notice that your management point is now set to use HTTPS:

2014-03-20 09_33_16-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

If you look on one of your clients, you’ll notice it switch over from a self-signed certificate to PKI.  Now we’re talking to the MP via SSL, pretty cool!  However, we need to go one step further; as the above screen capture shows, “To manage Mac computers and mobile devices that are enrolled by Configuration Manager, you must select an option that allows Internet client connections.” If you’d like to manage Macs or use internet-based client management, you’ll need to select this option.  For Macs, this is true even if you aren’t going to make the site server internet-facing, since the Mac always uses the internet FQDN and is treated as such.

Right-click on the Site System role and select properties.   Select the check box to specify an internet FQDN and input the same domain name you input for the site web server certificate.  Do this for each MP and DP.

2014-03-20 14_27_04-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

2014-03-20 14_41_22-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

You will now be able to select one of the internet-enabled options under the properties of your MP.

2014-03-20 14_27_32-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

Next, let’s enable the DP for SSL communication as well.  Under Administration -> Overview -> Site Configuration -> Servers and Site System Roles, select your site server and right-click the DP role and select properties.

2014-03-20 11_50_18-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

It should be set to HTTPS already, but you’ll need to import the Client DP Cert we created earlier.  Do that here.

2014-03-20 11_51_28-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

2014-03-20 11_52_18-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

2014-03-20 15_01_11-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

Once again, you must select one of the internet-enabled options to support content distribution to Macs.

2014-03-20 15_37_15-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

Now all of your content should be transferring through SSL as well.  Send out a test package and verify in the logs that content is moving and is secure.

OK.  We’re getting done for now, our site and clients are communicating via HTTPS.

Next, we’ll set up and manage a Mac with our site:  https://danikuci.wordpress.com/2014/04/05/configuring-sccm-2012-for-pki-and-ssl-managing-apple-computers/

And after that, we’ll set up a build and capture task sequence:    add later

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s