Certificate requirements for SCCM 2012

UPDATE: 02/05/2012

Now that Configuration Manager 2012 has been released, there’s official documentation available on TechNet about what the PKI requirements are in order to configure CM12 for HTTPS communications.  They are very similar to the Native mode requirements in CM07.  However, the Site Server Signing certificate is not required, as the CM12 server will configure a self-signed certificate in the SMS Certificate store, regardless of whether it’s configured for HTTP or HTTPS communications.

I strongly recommend the following TechNet articles:

Original Article

Like SCCM 2007, SCCM 2012 has some specific certificate requirements to secure all client/server communications.  The installation and configuration process isn’t quite like SCCM 2007, where you had to have a fairly specific configuration in place if you wanted to set up the site in Native mode as opposed to Mixed mode.  However, if you want to enforce HTTPS communications across the board (which is especially useful for internet-facing SCCM services) then an internal PKI is still required.

I installed SCCM 2012 Beta 2 in a lab environment which was already running SCCM 2007 in Native mode, so I’d already done all of the PKI and certificate work, following this article on TechNet.  The most important steps to duplicate for SCCM 2012 were:

  • All clients and servers needed to receive the ConfigMgr Client Certificate from the cert autoenroll GPO (so no change from SCCM 2007)
  • The site server needed the ConfigMfg Site Server Signing Certificate for the new SCCM site code
  • The site server and all servers running management points via IIS required the ConfigMgr Web Server Certificate (and to have this bound to port 443 within IIS)

The big change was for the site database server. In this installation of SCCM 2012, I was using a remote SQL server, on which the SQL services were handled by a Managed Service Account.  During the SCCM setup, the installer attempts to connect out from the site server and configure a self-signed certificate on the SQL server to secure SQL communications.  There are two problems with this:

  1. It installs the certificate in the computer’s Personal store (which is necessary for SQL) which means that the cert isn’t trusted
  2. By default, the Managed Service Account doesn’t have access to read the Personal store

To overcome this, I did the following:

  1. Create a new certificate template called ConfigMgr SQL Server Identification Certificate
  2. Added the Managed Service Account to the local Administrators group on the SQL server

The new PKI certificate template was a duplicate of the ConfigMgr Web Server Certificate (created for the SCCM 2007 deployment), with the following alterations:

  1. Subject Name – Subject Name Format = DNS Name, Subject Alternate Name = DNS Name
  2. Security – remove “Enroll” rights from Domain Admins and Enterprise Admins, give Read/Write/Enroll rights to “ConfigMgr SQL Servers”, which is a new AD group of which the SQL server is a member

Then, request the new certificate into the SQL server’s Personal store from the Certificates MMC snap-in (the system may need a reboot to pick up the new group membership).

Then, open SQL Server Configuration Manager on the SQL server, expand “SQL Server Network Configuration”, right-click on the SQL instance name (in the left hand pane) and select Properties.  Go to the Certificate tab and choose the newly-requested certificate from the drop-down list.  Hit Apply, then OK, and restart SQL services for the change to take effect.

That’s basically it – now all client/server/site communications within the new SCCM 2012 site can happen over HTTPS.

25 comments to Certificate requirements for SCCM 2012

  • And one thing need to do: Don’t forget to grant(or check) “Read Private Key” permission to the account which you used as SQLServer service account.

    Otherwise, the SQL Server will fail to start.

  • agconmet

    ghjconan,

    Thanks for the tip, this was preventing the SCCM 2012 installation program from installing…

    James, maybe you can update your instructions as it took a little bit of work to find the proper spot to add these permissions.

  • Dayyan

    Hi,

    Is there any upgrade for SCCM2007. has SCCM 2012 certification has lauched. Please let me know.

    • James Bannan

      Yes, there is an upgrade process for going from SCCM 2007 to SCCM 2012. And no, I don’t believe that there is SCCM 2012 certification available at this stage.

  • Manju

    We do not have CA in our lab. Is there a way to configure SCCM 2012 to operate in HTTPS mode? All the forums talk about creating the certificates using the CA. Kindly let me know if it is a possibility to switch to HTTPS mode, without CA. If yes, please guide.

    • James Bannan

      Hi – unfortunately not. If you want to SCCM 2012 to run in HTTPS-only mode (like Native mode in SCCM 2007) then you need an internal PKI. It’s not that difficult to set up, though, and requires very little maintenance.

  • Jamie

    Is PKI still a requirement for Out-of-Band? I almost had everything working with that after setting up a dedicated Enterprise DC for the custom template, then getting a cert from GoDaddy, but it would have been nice not to have to do that!

    • James Bannan

      Hi Jamie – yes, it looks like you still need PKI to set up out-of-band. However, PKI is needed for HTTPS communication anyway, so it’s a worthwhile thing to set up for your SCCM environment regardless.

  • John

    By assigning the certificate to the sql server does it effect other DB running on that sql server? We don’t have a dedicated sql server box for sccm 2012?

  • Jimmy

    Are there any guidelines for setting up SSL connections to a clustered SQL instance? I’ve tried the steps above, but since the clustered SQL instance network name is different than the cluster node name, the certs don’t work even with the alternative name set to the instance name.

  • lvallverdu

    Hi,

    If the SQL Instances are in a cluster, do i have to put the name of cluster resource as an alternative name? Or only with phisycal server is enough?

    Thanks

  • kpot

    There is no need to issue ConfigMgr Server Certificate with code The site code of this site server is XXX for SCCM 2012? It’s not mentioned in Official MS papers, and it seems like ConfigMgr Web Certificate will be enough?

    Please comment, as you are saying: The site server needed the ConfigMfg Site Server Signing Certificate for the new SCCM site code

  • Deepak

    Hi James,

    I configured the PKI certificates, following steps in the technet article, but the MP stops working, when the MP connection is set to HTTP or HTTPS (both internet and intranet clients). And i m not able to browse the MP. Please suggest me how to make Internet Clients (which are in work group) can communicate with SCCM site server.

    Thanks
    Deepak

  • Mark

    Hi I have a LAN environment, with multiple secondary sites, now I want to spend my environment to manage teams leave the office and work from home, as I do? Is there any post or hand to implement this?

  • Ahmed

    How you can create ConfigMgr SQL Server Identification Certificate
    can you give it to me step by step

  • Al

    Would you implement encryption for SQL traffic if you host SQL and the DB on the CM 2012 Primary server?

    • Al

      Sorry I meant, Do you use the same process to implement encryption for SQL traffic if SQL and the DB are hosted on the CM 2012 Primary server instead of a remote SQL/DB instance?

  • […] To regenerate the certificate open the IIS 7 control panel and select the server then double click Server Certificates. On the right hand side of the screen select Create Self-Signed Certificate. Enter in the FQDN of the local server. You should see a certificate for your server name and the Issued By field should match. Open SQL Configuration Manager, expand the SQL Server Network Configuration node then right click Protocols for MSSQLSERVER. Select Properties to continue. Select the Certificate tab and use the drop down to select the self-signed certificate you created. You can double check this by making sure the Issued By field matches the server name. The following warning should appear, click OK. Select the SQL Server  Services node, right click SQL Server and select Start. If everything goes as planned your SQL server should be up an running. Also if you wish you can opt for a different certificate if you have PKI infrastructure in place but I kept this post simple since the certificate that comes with your Configuration Manager 2012 installed on top of SQL server is self-signed. Take a look at the following article if you want to use a PKI to deploy a better certificate for this purpose. //www.jamesbannanit.com/2011/04/certificate-requirements-for-sccm-2012/ […]

  • […] SCCM 2012 infrastructure has similar PKI certificate requirements for HTTPS communications. Read my blog post here on how to set this […]

  • Ryan

    We are not using Microsoft Certificate services, rather OpenSSL to create our certificatePKI environment. However I cannot locate decent documentation on what I all need to do to utilize a 3rd party certificate creation toolmanagement. Any suggestions? I did understand that each client will need to have their own certificate which we have in place already. But some guidance as to what certs I need and everything else related to PKI is what I am looking for advise on. Any ideas?

    • James Bannan

      Hi Ryan – I haven’t seen ConfigMgr HTTPS set up using OpenSSL, but if you have the root CA certificate and a web server certificate for each of the system servers in your environment running HTTPS-enabled roles (e.g. MP, DP, etc) then you should be OK.

  • […] externally-accessible) but also that they don’t need to be joined to the domain.  Check out this post for PKI certificate requirements in […]

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>