PKI Certificate Requirement for SCCM
The following lists are the types of PKI certificates that are required for Configuration Manager.
- SCCM IIS Certificate
- SCCM DP Certificate
- SCCM Client Certificate
Complete Details how to Deploy PKI to SCCM infrastructure, please check Microsoft article below:
Security Group – AD
We need to create a security group in AD “SCCM IIS Servers” and add all our SCCM related servers to this group as member.
Certificate Authority
Open the Certificate Authority, click on certificate template and click manage
Now Duplicate the Webserver and Workstation Authentication template
SCCM IIS Certificate
Duplicate Web Server Template, Name it “SCCM IIS Certificate” , Enable “Supply in the Request” and Give Read- Enroll Permission on SCCM IIS Servers group as shown in screenshots.
SCCM DP Certificate
Duplicate the Workstation Authentication Template, Name it “SCCM DP Certificate”, Give it Read-Enroll Permission on SCCM IIS Servers group, and Enable “Allow Private key to be exported”.
SCCM Client Certificate
Duplicate Workstation Authentication Template, Name it “SCCM Client Certificate”, Enable “DNS name” and Give Read- Enroll- Autoenroll Permission on Domain Computers as shown in screenshots.
Now you should have 3 Cert with following naming:
-
SCCM IIS Certificate – with private key
-
SCCM DP Certificate – with private key
-
SCCM Client Certificate
Issue the Certificates:
Navigate to the Root of Certificate Authority, click on Certificate Template, click new, click on Certificate Template to Issue.
Select the newly created 4 Certificates for SCCM.
GPO – AutorEnroll Sccm Workstation Cert
We enabled Auto Enrollment in Sccm Workstation Authentication template so that clients can request certificates automatically.
To Enable this GPO, please create a new GPO, Edit GPO, navigate to Computer Configuration, Policies, Windows Settings, Security Settings, Public Key Policies, and Certificate Services Client – Auto Enrollment.
