Now that Configuration Manager 2012 has been released, there’s official documentation available on TechNet about what the PKI requirements are in order to configure CM12 for HTTPS communications. They are very similar to the Native mode requirements in CM07. However, the Site Server Signing certificate is not required, as the CM12 server will configure a self-signed certificate in the SMS Certificate store, regardless of whether it’s configured for HTTP or HTTPS communications.
I strongly recommend the following TechNet articles:
- PKI Certificate Requirements for Configuration Manager – //technet.microsoft.com/en-us/library/gg699362.aspx
- Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager – //technet.microsoft.com/en-us/library/gg682023.aspx
- Planning for Security in Configuration Manager – //technet.microsoft.com/en-us/library/gg712284.aspx
Like SCCM 2007, SCCM 2012 has some specific certificate requirements to secure all client/server communications. The installation and configuration process isn’t quite like SCCM 2007, where you had to have a fairly specific configuration in place if you wanted to set up the site in Native mode as opposed to Mixed mode. However, if you want to enforce HTTPS communications across the board (which is especially useful for internet-facing SCCM services) then an internal PKI is still required.
I installed SCCM 2012 Beta 2 in a lab environment which was already running SCCM 2007 in Native mode, so I’d already done all of the PKI and certificate work, following this article on TechNet. The most important steps to duplicate for SCCM 2012 were:
- All clients and servers needed to receive the ConfigMgr Client Certificate from the cert autoenroll GPO (so no change from SCCM 2007)
- The site server needed the ConfigMfg Site Server Signing Certificate for the new SCCM site code
- The site server and all servers running management points via IIS required the ConfigMgr Web Server Certificate (and to have this bound to port 443 within IIS)
The big change was for the site database server. In this installation of SCCM 2012, I was using a remote SQL server, on which the SQL services were handled by a Managed Service Account. During the SCCM setup, the installer attempts to connect out from the site server and configure a self-signed certificate on the SQL server to secure SQL communications. There are two problems with this:
- It installs the certificate in the computer’s Personal store (which is necessary for SQL) which means that the cert isn’t trusted
- By default, the Managed Service Account doesn’t have access to read the Personal store
To overcome this, I did the following:
- Create a new certificate template called ConfigMgr SQL Server Identification Certificate
- Added the Managed Service Account to the local Administrators group on the SQL server
The new PKI certificate template was a duplicate of the ConfigMgr Web Server Certificate (created for the SCCM 2007 deployment), with the following alterations:
- Subject Name – Subject Name Format = DNS Name, Subject Alternate Name = DNS Name
- Security – remove “Enroll” rights from Domain Admins and Enterprise Admins, give Read/Write/Enroll rights to “ConfigMgr SQL Servers”, which is a new AD group of which the SQL server is a member
Then, request the new certificate into the SQL server’s Personal store from the Certificates MMC snap-in (the system may need a reboot to pick up the new group membership).
Then, open SQL Server Configuration Manager on the SQL server, expand “SQL Server Network Configuration”, right-click on the SQL instance name (in the left hand pane) and select Properties. Go to the Certificate tab and choose the newly-requested certificate from the drop-down list. Hit Apply, then OK, and restart SQL services for the change to take effect.
That’s basically it – now all client/server/site communications within the new SCCM 2012 site can happen over HTTPS.