The cloud management gateway (CMG) provides a simple way to manage the Configuration Manager client over the internet. In the first part of this blog post series, we discussed CMG prerequisites and requirements.
In this post, we will discuss web server authentication certificate requirements for CMG. We will issue a PKI certificate from Microsoft PKI, enroll in to SCCM primary site server, and export the same to .PFX format to use during CMG setup.
Post in this series:
- Part 1 | Cloud Management Gateway (CMG) Setup Guide
- Part 2 | Issue, Enroll & Export Server Authentication Certificate
- Part 3 | Configure SCCM Site for SSL
- Part 4 | Integrate Azure Active Directory with ConfigMgr
- Part 5 | Setup Cloud Management Gateway
- Part 6 | Validate CMG Health & Client Communication
Issue Web Server Authentication Certificate for CMG
A web server authentication certificate is required to establish secure communication between Configuration Manager and the Cloud Management Gateway service hosted in Azure.
Follow the steps below to issue a web server (IIS Server) authentication certificate from Microsoft PKI.
On the server running the certification authority, open the Certification Authority Console, right-click Certificates Templates, and select Manage.
In the Certificate Template Management console, Right click on the Web Server template and then select Duplicate Template
In the Duplicate Template dialog box, ensure that Windows Server 2003 is selected in the Certification Authority option.
In the General tab, enter a template name <Name>. Change the validity period as required.
In the Request Handling tab, select Allow private key to be exported
In the Security tab, remove the Enroll permission from the Enterprise Admins security group
Choose Add, enter SCCM IIS servers in the text box, and then choose Ok
Select the Enroll and Read permission for this group. Choose Ok, and Close the Certificate Templates Console.
Back in the Certification Authority console, right click Certificates Templates, select New / Certificate Template to Issue
In the Enable Certificate Template window, select the new template you just created, <Techuisitive SCCM CMG Certificate>, click Ok
Enroll the Web Server Authentication certificate on the SCCM server
We have issued a web server authentication certificate in previous steps. Now we need to enroll the certificate on the SCCM primary site server.
RDP to the SCCM Primary site server and follow the steps below to enroll the certificate.
Go to run, type certlm.msc and press Enter to launch Local Certificate Store
In the console, expand Certificates (Local computer) / Personal / Certificates
Right click Certificates, select All Tasks / Request New Certificate
On the Before you Begin page, click Next
If you see the Select Certificate Enrolment Policy page, choose Next
On the Request Certificates page, identify <Web Server Certificate you created> from the list, and then select More information is required to enroll for this certificate. Choose here to configure settings.
In the Certificate Properties dialog box, in the Subject tab, provide the following details.
Subject Name:
o Type : Common Name
o Value: techuisitivecmg.techusitive.com
Click on Add
Alternative name:
o Type: DNS
o Value: techuisitivecmg.techusitive.com
Click on Add
Note: The value (techuisitivecmg.techusitive.com) is the CMG Service Name, which we identified in pre-requisites.
In the General tab, enter a friendly name for cthe ertificate. Click Ok to close the Certificate Properties dialog box
On the Request Certificates page, select <Techuisitive SCCM CMG Certificate> from the list of available certificates, and click Enroll.
On the Certificates Installation Results page, wait until the certificate is installed.
click Finish
The certificate should now be available in Personal > Certificates folder.
Export Certificate with Private Key
On the SCCM server, in Certificates (Local computer) console, right click <Web Server Certificate> that you just created, select All Tasks / Export
In the Certificates Export Wizard, choose Next
On the Export Private Key page, select Yes, export the private key, and click Next
On the Export file format page, ensure that the Personal Information Exchange – PKCS #12 (.PFX) option is selected.
Select Include all certificates in the certification path if possible, click Next
On the Security page, specify a strong password to protect the exported certificate with its private key, and click Next
On the File to Export page, specify the name of the file that you want to export and click Next to finish the export.
Next Post : Part 3 | Configure SCCM Site for SSL
Related posts:
- Configure Management Point for HTTPS | ConfigMgr | SCCM
- Configure Software Update Point for SSL | ConfigMgr | SCCM
- Deploy client authentication certificate for SCCM clients
- SCCM CMG Part 1 | Cloud Management Gateway (CMG) Setup Guide
- SCCM CMG Part 2 | Issue, Enroll & Export Server Authentication Certificate
- SCCM CMG Part 3 | Configure SCCM Site for SSL
- SCCM CMG Part 4 | Integrate Azure Active Directory with ConfigMgr
- SCCM CMG Part 5 | Setup Cloud Management Gateway
- SCCM CMG Part 6 | Validate CMG Health & Client Communication
- Location of smsts.log file during Operating System Deployment (OSD)
- Schedule SCCM Client Reboot through ConfigMgr
- Check Software Center Business Hours of Remote Computer
- SCCM Software deployment strategy
- How to deal with wrong deployment in ConfigMgr
- How to Initiate SCCM client agent actions using PowerShell