Step by step – Installing ConfigMgr 1511 in https – Part 4: Requesting and Configuring Certificates.

Requesting required certificates

If you would like to know more about certificates and how to create your templates for ConfigMgr please continue reading here.

First of all, it’s important that our Server is part of the group that we created in Part 1 of this blog post series.

So go to Active Directory and add your server to the group GL-ConfigMgr1511-Servers.

image

This should also be the group that has the enroll rights for your certificates. That means that every server in your ConfigMgr Hierarchy should be part of this group. This makes it very easy to request the certificates if you add an extra Distribution Point to your hierarchy for example.

Run GPUPDATE /Force and reboot the Server.

Web Server Certificate

Open a PowerShell prompt as administrator and type certlm.

image

This will open the local machine certificate snap-in. Browse to the Personal – Certificates Folder.

image

Right click on the Certificate folder in the left hand side panel and go to All Tasks – Request New Certificate

image

Select Active Directory Enrollment Policy and click Next.

image

Click on the blue text under the template ConfigMgr_ServerAuthentication

image

In the Certificate Properties, we need to specify the settings below:

  • Subject Name: Type – Common name
    • FQDN of the Primary Site Server
  • Alternative Name: Type DNS
    • FQDN of the Primary Site Server

image

Click OK and check the checkbox next to the certificate template.

image

Click on Enroll to enroll the certificate.

image

Click Finish to go back to the Certificate Store.

Distribution Point Certificate.

Back in the Certificate Store, right click on the Certificate folder again and go to All Tasks – Request New Certificate.

image

Select Active Directory Enrollment Policy and click Next.

image

Select the ConfigMgr_DPAuthentication Certificate and click on Enroll.

image

Click Finish to close the Enrollment Wizard.

Now that we have enrolled the certificate, we need to export the certificate, so that we can use it later during the installation of ConfigMgr.

Right click the certificate and go to All Tasks – Export

image

Click Next and choose to export the private key.

image

Click Next and Select the format. We need to have it in .PFX format and need to include all certificates in the certification path if possible. Click Next to continue.

image

We need to specify a password, this password is to protect the private key and will be used when we import the Certificate in ConfigMgr. Click Next to continue.

image

Browse to a location where you want to save the exported certificate. I always create a folder SCCM_CERTS on the drive used to install ConfigMgr. It’s easy and very clean. Enter a File Name and click Save.

image

In the Certificate Export Wizard, click Next.

image

Click Finish to close the Export Wizard.

image

 

Configure IIS for HTTPS

Now that we have the certificates, we will need to configure IIS to use our Web Server Certificate.

Open the IIS Manager.

image

In the IIS Manager, Select the Default Web Site and click on Bindings in the right hand side panel.

image

In the Site Bindings click on Add…

image

We will need to add the https binding, so configure the settings below:

  • Type: https
  • Port: 443
  • SSL Certifcate: The Enrolled Certificate will be in the drop down list.

image

Click OK and close IIS.

To make sure that everything is well configured, I always do an IISRESET to restart the services.

At this point, we are ready to start the installation of ConfigMgr. Read more in the next post.

Leave a Comment

Your email address will not be published. Required fields are marked *