If you’re looking to set up and deploy PKI certificates for SCCM, this guide is for you. All the public key infrastructure (PKI) certificates that you might require for Configuration Manager are listed in the article.
You can use any PKI to create, deploy, and manage most certificates in Configuration Manager. When you use PKI certificates for client communications, you don’t have to plan for signing and encryption to secure client data communication. Managing certificates is made easier with the Microsoft PKI solution when you use certificate templates and Active Directory Certificate Services.
Configuration Manager uses a combination of self-signed and public key infrastructure (PKI) digital certificates. Microsoft recommends using the PKI certificates whenever possible. Some scenarios require PKI certificates. When PKI certificates aren’t available, the site automatically generates self-signed certificates.
Note: Starting in Configuration Manager version 2103, sites that allow HTTP client communication are deprecated. Configure the site for HTTPS or enhanced HTTP.
The PKI certificate implementation guides for SCCM that we have published use an enterprise certification authority (CA) and certificate templates. The steps are appropriate for a test network only, as a proof of concept. We recommend contacting a Microsoft consultant before you implement PKI certificates for SCCM in your organization.
Guides to Implementing PKI Certificates for SCCM
Listed below are the step-by-step guides that cover information about PKI certificates in Configuration Manager and also demonstrate the steps to implement them in your setup. Click on each guide below to learn about setting up the PKI certificates. All the PKI setup guides are available for download via the OneDrive link.
Hi Prajwal,
Do I need to worry about these certs if my SCCM environment is only using HTTP, DPs are set to HTTP only and allow clients to connect anonymously, MP is set to HTTP for client connections, and my primary site is set for “Use CM generated certificates for HTTP site systems”?
Hi Prajwal, great tutorial! thank you.
So for workgroup client deployment I changed install parameter of sccm client because it couldn’t connect to MP on SSL port.
In LocationServices log I found following row:
Skipping DNS record of port 443 as it is not compatible with Client
The magic parameter is CCMHTTPSSTATE=31 (I don’t know what this parameter exactly is …)
Final string for client installation:
ccmsetup.exe /source:”C:\Temp\Client” SMSSITECODE= SMSMP= DNSSUFFIX= CCMHTTPSSTATE=31
after attempting all these recommended steps, clients are not communicating and PKI certificate is not showing in control panel conf manager client
Thank you for your awsome guide! You saved me!
Do we have technical document to refer if we change Enterprise PKI (MECM)
And secondary sites? I need a CA too and configuring the same think?
All MPs have Internal server error 500
PDF are not getting downloaded.
Downloads are working fine. If you have adblocker installed in browser, disable it and then try.