In this post we will see the steps for deploying the client certificate for distribution points. This is one of the posts of Deploy PKI Certificates for SCCM 2012 R2 Step by Step Guide. In the previous post we understood more about PKI certificate requirements, deploying web server certificate for site systems that run IIS, deploying client certificates for windows computers. The next step is to deploy the client certificate for distribution points.

This certificate server two purposes. The certificate is used to authenticate the distribution point to an HTTPS-enabled management point before the distribution point sends status messages. When the Enable PXE support for clients distribution point option is selected, the certificate is sent to computers that PXE boot so that they can connect to a HTTPS-enabled management point during the deployment of the operating system. You can log in with a root domain administrator account or an enterprise domain administrator account and use this account for all procedures in this example deployment.

This certificate deployment has the following procedures:

Install and Update Third Party Applications with Patch My PC
Install and Update Third Party Applications with Patch My PC

  1. Creating and Issuing a Custom Workstation Authentication Certificate Template on the Certification Authority
  2. Requesting the Custom Workstation Authentication Certificate
  3. Exporting the Client Certificate for Distribution Points

Creating and Issuing a Custom Workstation Authentication Certificate Template on the Certification Authority

On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.

Deploying the Client Certificate for Distribution Points

In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.

Deploying the Client Certificate for Distribution Points

In the Duplicate Template dialog box, ensure that Windows 2003 Server is selected.

Deploying the Client Certificate for Distribution Points

In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client authentication certificate for distribution points, such as SCCM Client Distribution Point Certificate.

Deploying the Client Certificate for Distribution Points

Click the Request Handling tab, and select Allow private key to be exported.

Deploying the Client Certificate for Distribution Points
Click the Security tab, and remove the Enroll permission from the Enterprise Admins security group.

Deploying the Client Certificate for Distribution Points

Click Add, enter SCCM IIS Servers in the text box, and then click OK. Select the Enroll permission for this group, and do not clear the Read permission. Click OK and close Certificate Templates Console.

Deploying the Client Certificate for Distribution Points

In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

Deploying the Client Certificate for Distribution Points

In the Enable Certificate Templates dialog box, select the new template that you have just created, SCCM Client Distribution Point Certificate, and then click OK.

Deploying the Client Certificate for Distribution Points

Requesting the Custom Workstation Authentication Certificate

This procedure requests and then installs the custom client certificate on to the member server that runs IIS and that will be configured as a distribution point. Run the mmc command to launch the Certificate snap-in dialog box, select Computer account and then click Next. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish.In the Add or Remove Snap-ins dialog box, click OK. In the console, expand Certificates (Local Computer), and then click Personal. Right-click Certificates, click All Tasks, and then click Request New Certificate.

Deploying the Client Certificate for Distribution Points

On the Request Certificates page, select the SCCM Client Distribution Point Certificate from the list of displayed certificates, and then click Enroll.

Deploying the Client Certificate for Distribution Points

On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish.

Deploying the Client Certificate for Distribution Points

In the results pane, confirm that a certificate is displayed that has Client Authentication displayed in the Intended Purpose column, and that SCCM Client Distribution Point Certificate is displayed in the Certificate Template column.

Deploying the Client Certificate for Distribution Points

Exporting the Client Certificate for Distribution Points

In the Certificates (Local Computer) console, right-click the certificate that you have just installed, select All Tasks, and then click Export.

Deploying the Client Certificate for Distribution Points

In the Certificates Export Wizard, click Next. On the Export Private Key page, select Yes, export the private key, and then click Next.

Deploying the Client Certificate for Distribution Points

On the Export File Format page, ensure that the option Personal Information Exchange – PKCS #12 (.PFX) is selected. Click Next.

Deploying the Client Certificate for Distribution Points

On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next.

Deploying the Client Certificate for Distribution Points

On the File to Export page, specify the name of the file that you want to export, and then click Next.

Deploying the Client Certificate for Distribution Points

To close the wizard, click Finish in the Certificate Export Wizard page, and click OK in the confirmation dialog box. Close Certificates (Local Computer). The certificate is now ready to be imported when you configure the distribution point.

Deploying the Client Certificate for Distribution Points

Deploying the Client Certificate for Distribution Points

Now that we have got the client certificate for distribution points, let’s assign them to the DP’s. Right click on the DP and under General tab, choose HTTPS and to import the certificate click on Browse. Import the certificate that you have exported in the above steps, provide the password and click OK.

Deploying the Client Certificate for Distribution Points

For other roles, you may not be able to switch from HTTP to HTTPS as the options are greyed out. For example on Application catalog web service point, the options are greyed out. You have to uninstall both App catalog website point and App catalog web service point role and install the roles again.

Deploying the Client Certificate for Distribution Points

When you are reinstalling the App catalog web service point, you can now specify how App catalog website communicates with App catalog web service point. Choose HTTPS this time.

Deploying the Client Certificate for Distribution Points

The same goes for App catalog website point. Choose HTTPS here. Click Next.

Deploying the Client Certificate for Distribution Points

In the Configuration Manger console, navigate to Administration > Overview > Site Configuration > Sites. Right click on the site server and click Properties. Under site system settings, choose HTTPS only and click OK.

Deploying the Client Certificate for Distribution Points

Login to one the computers which has Configuration Manager client installed. Look under General tab of configuration manager client properties. You will notice that Client Certificate is changed from self-signed to PKI.

Deploying the Client Certificate for Distribution Points

Still Need Help?

If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.

Prajwal Desai

Prajwal Desai is a technology expert and 10 time Dual Microsoft MVP (Most Valuable Professional) with a focus on Microsoft Intune, SCCM, Windows 365, Enterprise Mobility, and Windows. He is a renowned author, speaker, & community leader, known for sharing his expertise & knowledge through his blog, YouTube, conferences, webinars etc.