Deploying Web Server Certificate for Site Systems that Run IIS
In this post we will see the steps for deploying web server certificate for site systems that run IIS. This is one of the posts out of Deploy PKI Certificates for SCCM 2012 R2 Step by Step Guide. In my previous post we saw the PKI Certificate Requirements for SCCM 2012 R2 and understood much about PKI, the certificates required for SCCM if you are using PKI etc. The next step is to deploy web server certificate for the site systems. You can log in with a root domain administrator account or an enterprise domain administrator account and use this account for all procedures in this example deployment.
Deploying Web Server Certificate for Site Systems that Run IIS
Basically in this post we will be performing the following steps
1) Creating and Issuing the Web Server Certificate Template on the Certification Authority
2) Requesting the Web Server Certificate
3) Configuring IIS to Use the Web Server Certificate
This certificate is used to encrypt data and authenticate the server to clients. It must be installed externally from Configuration Manager on site systems servers that run IIS and that are configured in Configuration Manager to use HTTPS.
Creating and Issuing the Web Server Certificate Template on the Certification Authority
First of all create a security group named SCCM IIS Servers. This group contains the member servers (SCCM site servers) that will run IIS. On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates and click Manage to load the Certificate Templates console.
In the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template.
Ensure that Windows 2003 Server is selected, and then click OK.
In the Properties of New Template dialog box, on the General tab, enter a template name to generate the web certificates that will be used on Configuration Manager site systems. Click the Subject Name tab, and make sure that Supply in the request is selected.
Click the Security tab, and remove the Enroll permission from the security groups Domain Admins.
Also remove the Enroll permission from the security groups Enterprise Admins.
Click Add, enter SCCM IIS Servers in the text box, and then click OK. Select the Enroll permission for this group, and do not clear the Read permission. Click OK, and close the Certificate Templates Console.
In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
In the Enable Certificate Templates dialog box, select the new template that you have just created, SCCM Web Server Certificate, and then click OK.
Requesting the Web Server Certificate
The steps that we perform now will install the web server certificate on to the member server that runs IIS. Microsoft recommends you to restart the member server that runs IIS. This is just to ensure that the computer can access the certificate template that you created.
Run the mmc.exe command. In the empty console, click File, and then click Add/Remove Snap-in.In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add. In the Certificate snap-in dialog box, select Computer account, and then click Next. On Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish. In the Add or Remove Snap-ins dialog box, click OK. In the console, expand Certificates (Local Computer), and then click Personal. Right-click Certificates, click All Tasks, and then click Request New Certificate.
On Select Certificate Enrollment Policy page, click Next.
On the Request Certificates page, identify the SCCM Web Server Certificate from the list of displayed certificates, and then click More information is required to enroll for this certificate. Click here to configure settings.
In the Certificate Properties dialog box, in the Subject tab, do not make any changes to the Subject name. This means that the Value box for the Subject name section remains blank. Instead, from the Alternative name section, click the Type drop-down list, and then select DNS. In the Value box, specify the FQDN values that you will specify in the Configuration Manager site system properties, and then click OK to close the Certificate Properties dialog box.
On the Request Certificates page, select SCCM Web Server Certificate from the list of displayed certificates, and then click Enroll.
On the Certificates Installation Results page, wait until the certificate is installed (the status should show Succeeded), and then click Finish.
Configuring IIS to Use the Web Server Certificate
The steps that we perform now will configure IIS to use the web server certificate that we had configured in the above steps. On the member server that has IIS installed, launch the Internet Information Services (IIS) Manager. Expand Sites, right-click Default Web Site, and then select Edit Bindings.
In the Edit Site Binding dialog box, select the certificate that you requested by using the SCCM Web Server Certificates template, and then click OK. You have now configured IIS to use the web server certificate.
Is there a reason for selecting Windows 2003 Server over other options? Just asking as 2003 *should* be long gone from most environments.
Just wanted to thank you for this writeup. This is all I was missing to make my DP active. Cheers!!
Good afternoon Prajwal
I was wondering what is actually the purpose of using SSL or a certificate on your sccm server. I want to use SCCM for managing my clients, deploy applications, deploy complaince policy and generate reports. Why would i need a certificate for my sccm server.
In short using the cert you secure the communication between DP’s and clients using HTTPS.
Hi,
I am experiencing an issue wherein my Management Point cannot connect using HTTPS.
When I look at the logs (mpcontrol.log) I notice that the certificate I produced does not support SSL.
I receive the message – Certificate doesn’t have “SSL Client Authentication” capabilities
I am confident that I followed your tutorial precisely and am wondering if you have encountered this error before?
Thank you
Hi,
Since DPs use IIS do I need to deploy IIS certificate on these DPs?
Thank you for your reply.
Good tenhnet.
How do I renew this certificate?
The other 2 are good till 2021 but the Web Server Certificate was expired.
I did this:
MMC/Certificates (Local Computer)/Personal
rightclick on SCCM Web Service Certificate and then All Tasks, Advanced Operations, Renew Cert with same key
Got a new one, changed cert in IIS, run IISreset.
The site is working again BUT
Cannot connect to applicationserver
For the first step “Create a security group named SCCM IIS Servers that contains the member servers to install System Center 2012 Configuration Manager site systems that will run IIS.” How can I add the server to that group if it is in a different domain as the CA?
Thanks for this, we followed the guide through and all is working perfectly. Can you tell us what will happen in two years time when we need to renew the certificate? Will it automatically renew?
Prajwal,
We get all of our certs from an external CA. What steps do you take when you don’t have a CA within your domain? I don’t have an option for Certificate Templates in Server 2016 Certificate management.
Thanks,
Nick
Hello Prajwal & people,
Is the Web Server Certificate required for the Primary site (No MP/DP/SUP role installed on) ???
Your opinion?
Thank you in advance,
Luc
No in that case the cert is not required.
Thank you very much.
Hi Prajwal,
First of all thank you for the help in SCCM.
I have an issue. I’m in the process of adding MAC PCs to SCCM 2012 R2. And while im trying to follow your guide im stuck at adding “SCCM IIS Servers” to the security tab when trying to
Deploying Web Server Certificate for Site Systems that Run IIS.Their is no user group or any OUI called as such. What should i do to fix the issue?
Thanks in advance.
Please post the questions in community forums.
Prajwal,
I am also curious about the statement above regarding “SCCM IIS Servers” group. I am attempting perform a similar configuration and also do not have the group in my AD or on the Stand Alone SCCM server. What is the purpose of this group and does it get automatically created somewhere?
Hi Prajwal,
Same issue I encountered. Can you explain what does “SCCM IIS Server” for? Do I need to create a Group named “SCCM IIS Server” on my domain controller?
Looking forward for your response,
Thanks and more power.
I do not have the Certificate Template in certsvr.csv does somebody know why
Dude, your blogs are better then technet, systemcenterdudes, & windowsnoob combined. I really apprecaite how you literally go step by step leaving nothing left to the avg Sys Admins imagination :), onto step 2 for mac enrollment :):):) very happy to have stumbled upon this, may I add you to my linkedin profile? I want to be up to date on your posts, website urls etc. Loyal Follower!!! lol 🙂