In this post we setup the HTTPS client-side connection to SCCM Management Point directly or via the Cloud Management Gateway. CMG is a cloud proxy running Windows Server 2012 R2. HTTPS connectivity is recommended wen connecting to an Internet resource to validate the identity and secure (encrypt) the data. In the image below with orange you can see the connections we want to encrypt:

  • Internet client to CMG
  • Internet client to SCCM MP via CMG
  • Intranet client to SCCM MP

The following will be addressed

  1. Client Certificate
  2. Root Certificate
  3. SCCM Web Certificate
  4. Configure SCCM for HTTPS

 

 

1. Client Certificate

1.1 Create Auto-Enroll Client Certificate

  • On a domain controller open Certification Authority
  • Go to Certificate Template, right click, Manage

  • Select Workstation Authentication, right click, Duplicate Template
  • Make sure on Compatibility Tab there is Server 2003
  • On General tab fill in a display name for your template (e.g. SCCM Client Certificate)

  • On Security Tab give Domain Computers Read, Enroll and Autoenroll permissions

  • Click OK , then close the Certificate Templates Console
  • In the Certification Authority console, right click on Certificate Template-> New-> Certificate Template to Issue

  • select SCCM Client Certificate we created earlier, click OK

  • Close Certification Authority

1.2 Create Client Enrollment Policy

On one domain controller

  • Open Group Policy Management
  • Right click Group Policy Objects -> New
  • Enter Name for the new policy : Client Certification auto-enroll , then OK
  • Select the newly created policy, right click -> Edit
  • Select Computer Configuration -> Policies -> Security Settings -> Public Key Infrastructure
  • Right-click on Certificate Services Client – Auto-Enrollment ->Properties

  • Set Configuration Model to Enabled
  • Click the two Renew and Update checkboxes, then OK

  • Close the Group Management Editor window
  • In Group Policy Management window select the domain or OU that you want to link the policy to
  • Right click, Link an existing GPO -> Select the newly created GPO and click OK

1.3 Client Certificate Validation

Login on a client

  • Open cmd with administrative rights
  • Run gpupdate /force

  • Open Manage computer certificate
  • Check for the certificate under Personal->Certificates

2 Root Certificate

2.1 The RootCA

Root CA is the public key certificate that allows computer to validate a specific certification authority. Any computer receiving a self-sign PKI certificate will validate it if the corresponding Root CA is in Trusted root Certification Authority or in Intermediate Certification Authority

On any computer that auto-enrolled a client certificate as per previous chapter:

  • Open mmc

  • File->Add/Remove Snap-in
  • In the Add remove Snap-in window select Certificates then Add
  • Select Computer Account, Next, Finish
  • In the new console open Certificates (Local Computer)->Personal->Certificates
  • If the computer auto-enrolled the client certificate, it should be here
  • Open the client certificate
  • In the Certificate window select Certification Path
  • Select the top Certificate
  • Validate the status in ok under certificate status
  • Select View Certificate

  • In the new Certificate window go to Details tab and select Copy to file, Next and follow the wizard to save the RootCA.cer file

 

3. SCCM Web Certificate

The web certificate is used to identify and authenticate the HTTPS connection with the SCCM MP. Note that one certificate is required for every MP/SUP if reside on a different server

3.1 Create SCCM Web Certificate Template

  • Open Certification Authority (on a server with CA role)
  • Right-click Certificate Templates->Manage

  • In newly opened Certificate Template Console, right-click Web Server template -> Duplicate Template

  • In Properties of New Template leave compatibility settings to Server 2003
  • Under General tab enter a Template display name. i.e : SCCM Web Server Certificate
  • Under Security tab Add
  • In newly opened window click Object Types ->check Computer ->Ok

  • Back to Select window add your SCCM MP server, then OK
  • Under permissions for newly added server check Allow Read and Enroll then Ok

  • Close the certificate template console
  • Back to certsrv window, right-click Certificate Template->New->Certificate Template to Issue

  • Select newly create SCCM Web Server certificate, then Ok

  • Close certserv window
    1. Enroll certificate for SCCM MP/SUP.
  • On SCCM server
  • Open manage local computer certificate: mmc->File->Add Remove Snap-in->Select Certificates->Add->Computer Account->Local Computer->Next->Finish->Ok

  • In newly opened console expand Certificates
  • Right-click Personal->All Tasks->Request New Certificate->Next->Next

  • Check SCCM Web Server (the one that we created)
  • Click “More information …..”

  • In newly created window under Subject tab
  • Set Alternative name Type to DNS
  • Enter name and canonical name i.e : server, server.domain.com then OK

  • Back to the Certificate Enrollment Page click Enroll, Finish

 3.2 Setup IIS to user HTTS connections with the new certificate

  • On SCCM Server
  • Open IIS Manager Console
  • Go to Default Web Site, right-click->Edit Bindings
  • Select https->Edit
  • Under SSL Certificate Select newly created SCCM Web Server Certificate->Ok->close
  • Do the same for WSUS administration: Edit Bindings

  • Select https->Edit
  • Under SSL Certificate Select newly created SCCM Web Server Certificate->OkClose

  • Expand WSUS Administration
  • Click ApiRemoting30
  • Open SSL Settings

  • Check require SSL and Ignore Client certificates, then Apply

  • Do the same for ClientWebService, DSSAuthWebService, ServerSyncWebService, SimpleAuthWebService

  • Open cmd as administrator
  • Cd to C:\Program Files\Update Services\Tools
  • Run WsusUtil.exe configuressl

4. Configure SCCM for HTTPS

4.1 Configure Site

  • Open SCCM Console
  • Administration->Site Configuration->Sites->Select site->right-click>Properties
  • Select Client Computer Communication tab
  • Check HTTPS or HTTP
  • Check Use PKI client Certificate
  • Uncheck Client checks the certificate
  • Set RootCA certificate
  • Add the root certificate we created above

4.2 Configure MP

  • Administration->Site Configuration->Sever and Site System Roles
  • Select Site Server that has MP role
  • Under Site system Role window select Management Point->Right-click->Properties

  • Under Management point Properties
  • Select HTTPS
  • Check Allow Configuration Manager cloud management traffic
  • Select Allow intranet and internet connections

  • Ok

4.3 Configure SUP

  • Select SUP role ->right-click->Properties
  • Check Require SSL and Allow CMG checkboxes
  • Check Allow internet and intranet client connections

  • OK