In this guide, you’ll learn how to create and deploy an SCCM client certificate for Windows computers. The workstation authentication template certificate authenticates the client to site systems that run IIS and support HTTPS client connections.
This guide is an essential part of the PKI certificates deployment for SCCM. In the previous guide, we covered the steps to create and enroll a web server certificate for IIS site systems. The next step is to create a client authentication certificate for Windows devices and auto-enroll it using Group Policy.
Prerequisites
To create a client certificate for Windows computers, the following are the requirements:
- Certificate purpose: Client authentication
- Microsoft certificate template used:Â Workstation Authentication
- The Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2)
- The Key Usage value must contain Digital Signature, Key Encipherment (a0)
- Client computers must have a unique value in the Subject Name or Subject Alternative Name field.
Check out the detailed guide by Microsoft on PKI requirements for SCCM, including the certificate requirements.
Create Workstation Authentication Certificate Template
This procedure creates a certificate template for Configuration Manager client computers and adds it to the certification authority.
To begin with, on the member server that is running the Certification Authority console, right-click Certificate Templates and then select Manage to load the Certificate Templates management console.
Right-click the Workstation Authentication template and select Duplicate Template.
On the New Template properties window, switch to the Compatibility tab. Here configuring the following:
- Certificate recipient: Windows XP/Server 2003
- Certificate Authority: Windows 2003 Server
In the Properties of New Template dialog box, select the General tab. Enter a template name, like SCCM Client Certificate, to generate the client certificates that will be used on Configuration Manager client computers.
The client certificate will have a validity period of 1 year and the renewal period is set to 6 weeks. Click Apply to save the changes.
Choose the Security tab, select the Domain Computers group, and then select the additional permissions of Read and Autoenroll. Do not clear Enroll. Click OK, and then close the Certificate Templates Console.
Issue Workstation Authentication Certificate Template
In this issue, we’ll issue the SCCM client certificate from the Certificate Authority. In the Certification Authority console, right-click Certificate Templates and select New > Certificate Template to Issue.
Now select the SCCM client certificate that you have just created and then click OK. Close Certification Authority.
Configure Auto enrollment of Workstation Authentication Template using Group Policy
This procedure sets up Group Policy to autoenroll the SCCM client certificate on computers. Log in to the domain controller and launch the Server Manager. Now from the menu, select Tools > Group Policy Management.
Right-click the domain, and then choose Create a GPO in this domain and Link it here. On the New GPO window, specify the policy name as “Autoenroll SCCM Client Certificate” and click OK.
Right-click the GPO and select Edit. In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings > Security Settings > Public Key Policies. Right-click the object type named Certificate Services Client – Auto-enrollment, and then click Properties.
From the Configuration Model drop-down list, select Enabled. Now check both of the following options:
- Renew expired certificates, update pending certificates, and remove revoked certificates
- Update certificates that use certificate templates
Click Apply and OK. Close the Group Policy Management Editor. That completes the process of creating a GPO to automatically enroll the client certificate.
Automatically Enroll SCCM Client Certificate
In this step, we’ll manually check if the GPO has deployed the client certificate on Windows computers. It is recommended that you restart the client computers before checking for the presence of the client authentication certificate.
Log in to the client computer and run the command certlm.msc to launch the Certificates console. In the console, expand Certificates (Local Computer) > Personal > Certificates. In the results pane, confirm that a certificate is displayed that has Client Authentication displayed in the Intended Purpose column and that SCCM Client Certificate is displayed in the Certificate Template column. Close the console.
Next, log in to your management point server and open the certificates console. Navigate to Personal > Certificates and even here you should find the client authentication certificate installed.
This confirms that our client computers are successfully provisioned with a Configuration Manager client certificate. In the next guide, we’ll go through the steps for deploying the client certificate for distribution points.
Hello,
First of all great site and article.
Other than the fact that you have probably followed Microsoft’s documentation, is there a reason you explicitly saying “ensure that Windows Server 2003 is selected”?
Do you know if the Server compatibility being “Windows Server 2016” would cause any issues?
Trying to get an answer from Microsoft is impossible because they point you to their article but they cannot explain the reason as to why.
Thanks
Hello,
I have the Client Authentication certificate expired on Clients which continue to send their inventory and get success from Deployment!!! Is it normal?
What is the process to renew them? could it be automatic?
Could I get a list of all certificates and expiration date for a specific SCCM Collection?
For now I am renewing them manually …
Thanks,
Dom
Can we deploy the client authentication certificate using SCCM to devices
Can you please help me how to generate certificate for DMZ/WG machines in order to communicate to the SCCM, ?
Hello,
which role services I need on CA to enable auto enrollment certificates to PC? Are the services roles sufficient: Certification Authority and Certification Aurhority Web Enrollement, or do I need to install the Certificate Enrollment Policy Web Service and Certification Enrollment Web Service?
You need another entry in the GPO to automatically issue the requested certificates, otherwise they willl be on “pending” on the CA.
You have to tell the clients what type of certificate they can request and this can be done by creating a Certificate Request Setting. To set it up expand the Public Keys Policies folder, right-click Automatic Certificate Request Settings and choose New > Automatic Certificate Request. Choose Computer.
Thanks for all the guides Prajwal, I learnt so much thanks to you!
Hello,
very nice guide.
One question regarding the certificates. Is it not important or necessary to tick the box
on the “General” tab “Publish certificate in Active Directory”?
BR
Sandra
Don’t do it. Not necessary. Will only bloat AD.
Great guide! Thanks for taking the time to document the process. 🙂
Hello! First of all great site, helped me a lot and I installed 2 System Center from scratch in the last 6 months. I trying now the certificates and all is working. I have one Server that is the primary site and only one by now (will have DP on different locations though). I already have Server Authentication certificates for IIS and SQL Server (was already there). Am I missing something from the last paragraph or is everything OK?
Could you plz tell us how to deploy above certificate for windows 10, as widows 10 nether communicate with our local CA server (Windows Server 2008 CA) nor auto enroll .
We are deploying certificate manually, but it make confusion for SCCM server as certificate is one for all computers not individual client certificate.