Overview In this step-by-step guide, we will walk through the process of switching Microsoft SCCM from HTTP to HTTPS. Topics in Video
- Install Active Directory Certificate Services – https://youtu.be/nChKKM9APAQ?t=30
- Create Certificate Templates for SCCM – https://youtu.be/nChKKM9APAQ?t=296
- Create Auto-Enroll GPO for the Client Certificate – https://youtu.be/nChKKM9APAQ?t=654
- Requesting the IIS and DP/OSD Certificate on the IIS Site System – https://youtu.be/nChKKM9APAQ?t=722
- Bind Requested Certificate to Site in IIS for Default and WSUS Website – https://youtu.be/nChKKM9APAQ?t=961
- Configure WSUS to Require SSL – https://youtu.be/nChKKM9APAQ?t=1056
- Configure DP, MP, and SUP to use SSL – https://youtu.be/nChKKM9APAQ?t=1176
- Verify Client Received Client Certificate and SCCM Client Changes to SSL – https://youtu.be/nChKKM9APAQ?t=1715
- Active Directory Certificate Service Components- http://www.rebeladmin.com/2018/05/active-directory-certificate-service-components/
- How PKI Works – http://www.rebeladmin.com/2018/05/how-pki-works/
- How to Configure the WSUS Web Site to Use SSL – https://technet.microsoft.com/en-us/library/bb633246.aspx
- Install the Certification Authority – https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority
- PKI certificate requirements for System Center Configuration Manager – https://docs.microsoft.com/en-us/sccm/core/plan-design/network/pki-certificate-requirements
- PKI Deployment Models – http://www.rebeladmin.com/2018/05/pki-deployment-models/
- Step-by-step example deployment of the PKI certificates for System Center Configuration Manager: Windows Server 2008 certification authority – https://docs.microsoft.com/en-us/sccm/core/plan-design/network/example-deployment-of-pki-certificates
I may have a couple of questions throughout the course of the day, but my first one is if I apply the DP cert globally to the site, do I also need to apply to the various roles (for instance, the DP)?
Hi Jasmine, I’m not aware of a way to apply the DP cert globally. You would need to apply it to each DP site system role (To my knowledge). I was saying that you can use the same .PFX certificate you exported on multiple DP’s on the distribution point site system used in OSD.
@Jasmine – You need to apply the certificate only to the Distribution Point. If you have multiple DP’s, yes each DP needs a cert and you must export cert and apply for each DP. You can also delete IIS > Defualt web site > http binding because once we set to run DP’s on HTTPS, you don’t need http.
This is a fantastic tutorial, thank you! Question, If we want to install client certificates on domain controllers, is it best to clone a new cert template with “Domain Controllers” permissions, or simply add the “Domain Controllers” permissions to the same client cert used on other machines?
I think adding the Domain Controllers group to have read, enroll, and auto-enroll to the existing workstation authentication template you duplicated would be fine and easiest. Either would work fine though.
Great Vid, Thanks!
I was wondering what the specific requirements were for achieving PXE boot OSD with PKI?
Specifically, how dos the cert get to the client? do I need to add it to WinPE?
Good question, for boot media I’m pretty sure it does get injected into the boot.wim. I want to say PXE and Full OS deployments pick up the client cert during initial policy, but I may be wrong there.
Thank you for the video.
I’m just following this video to setup sccm with cert.
I have created all three cert and add all site/dp to security groups and apply the IIS cert to sccm server. enter sccm name and FQDN.
Wihtout FQDN i cant access the site but with FQDN i can access the site but it showing wrong cert.
I have check the IIS and i can see correct cert is binding to default site, I have reboot the iis.
Is they i’m missing something.
Did you add the FQDN in the subject alternative name when requesting the certificate?
If you have SCCM server and WSUS on different server then how would you do the cert.
It would be pretty much the same process, but you would also need to request the Web Server certificate on the remote SUP. The process to bind it in IIS will be the same.
Tengo el mismo caso, mi wsus esta en un servidor principal, cual seria el proceso. Tenemos que exportar el certificado IIS con el dns del servidor principal?? o con del servidor WSUS
After following the steps in the video I can’t deploy any OS.
I tried a boot media iso, I’ve got a generic error about unable to retrieve policies.
Using pxe the WinPE isn’t loaded.
Inside the smspxe.log I’ve got the following errors:
Cannot read the registry of MACIgnoreListFile(0000000)
MAC Ignore list Filename in registry is empty.
Do we need extra steps to get boot media working after installing certificates ?
You need to regenerate boot media so it includes the cert.
That’s what I did. It even says that the certificate is already in use.
And I did check all the steps as in the video, and everything is ok.
Do I need to uninstall WDS and reinstall ?
No, trying updating the boot images on the DP.
I found the error looking at the log file X:\Windows\Temp\Smsts.log.
I didn’t have an ip in the authorized range !
It was a good exercise. I learned something and I have something new to learn “How do we set the default locales”.
I assume that’s not the way sscm does things.
Is it possible to use a 3rd party (non MS) root CA and define MS CA Services as a subordinate?
Yes, this should be possible. The biggest thing is the clients trust the cert and vice-versa.
Thanks Justin, great stuff!
We are using a cloud-based CA. So far, I have created a CSR via IIS on our primary site. I then handed that request over to our SeOps team who manages our CA. They then handed me a cert that I have no idea how to use. What would be my process??? I’m sooooo confused!
What format is the certificate?
Import the PFX into the personal store using certlm.msc
Hi Justin. Thank you so much for putting al this info out there.
Could you please also create a guide on how to switch to another PKI in the same domain? So how to replase all certificates on the server side and on the client side in case you have a new PKI.
Switching PKI would be out of my wheelhouse.
I implemented you PKI setup guide but now I am getting errors in the multicast site service role. What I did notice is, on the SCCM server, when I go to https://SCCM/ I get an untrusted certificate but when I use the FQDN no certificate error. On a workstation both addresses work.
Here is the message from the multicast site service.
MCS Control Manager detected MCS is not responding to HTTP requests. The http status code and text is 12029
Additional info, when I open a browser on the server and go to https://SCCM the browser tries to use the “ConfigMgr SQL Server Identification Certificate” instead of the one I created with your tutorial.
You need to configure the correct cert in IIS
This only happens on the SCCM server itself, all other computers get the correct cert.
Finally got it after editing the host file and adding and SNI
Hi Justin, thanks for putting out these SCCM resources!
I’m initially setting this in our lab to make sure it goes smoothly when we install in production. And following your videos, I was able to deploy SCCM 1902 and upgraded to 1910 successfully. I was able to deploy agents with no issue.
And from what I gather I need to implement HTTPS/PKI in order to use MBAM. I followed your procedure which I think I setup correctly. However, my client computers stopped communicating with the SCCM server after I switch it to HTTPS.
Here’s the error I’m getting from the client’s CcmMessaging.log.
“Post to http://sccm-server.domain.com/ccm_system/request failed with 0x87d00231.”
mpcontrol.log seems to show that MP is working.
“Call to HttpSendRequestSync succeeded for port 443 with status code 200, text: OK”
Clients can time some time to detect the MP port change. This would happen at the client location lookup.
great article. One question, we would like to implement IBCM and/or CMG for clients system from external to connect to SCCM Server. as part of the process when we change the SCCM from http to https, do we need to redeploy the clients tools and/or what is the effect on the clients?
Existing clients should detect the sites HTTPs change in the next location lookups
My security team dont want to create a template for a cert that is exportable.
For the pfx file needed to the distribution point, could they just supply me a non exportable cert in pfx format and the password to use instead?
Of does the cert have to be exportable for it to work for OSD?
No, I don’t think this would work because the private key is needed during import.
My question is more curiosity. Why do i have to make compatibility for Server 2003 on the IIS template? All my servers, including SCCM, are at least 2016 and my clients are all Win 10. I followed the instructions just curious why we would choose this setting.
It’s just compatibility with ConfigMgr client, not sure why this is the case, but it’s a MSFT issue with newer I assume.
Great video guide Justin. Thanks again for your series of videos!
One question, if your Site Server and SQL are on separate boxes what do you need to do cert-wise on the SQL box which is the Site Database Server and Reporting Services Point?
I’m a little confused with the DP cert.
We have 9 DP’s, 6 of which are PXE enabled.
For the OSDCert, do I need to export one individually from each DP and them import it to each DP in the console?
I’m a bit concerned how it might screw up OSD.
One thing that is missing from this video is the requirement to add the Trusted Root CA into the, now named, Communication Security tab of the Primary Site.
Without this machines will not be able PXE boot. Took a lot of digging to find out why that wasn’t working.
Excellent video though, incredibly helpful!
Hello Justin Great tutorial. Just one question if I’m using Enhanced HTTP communication which certificate do I export the private key for OSD clients? Or do I need to go full https PKI for DPs to PXE-Boot?
kindly let me know if any difference between trusted root certificate and sccm client certificate
deployment trusted root certificate and sccm client certificate will be the same
how to create trusted root certificate and sccm client certificate
sccm webserver certficate has to go only IIS (SCCM site role + primary site server)