This guide covers the steps to create and enroll a web server certificate for IIS site systems in SCCM. A web server certificate is used to encrypt data and authenticate the server to clients. This essential guide is a part of PKI certificate deployment for SCCM.
After installing the root CA for SCCM, the next step is to create a web server certificate and assign it to the site systems that run IIS and support HTTPS client connections.
According to Microsoft, the web server certificate serves two main purposes:
- Authenticate the servers to the client.
- Encrypt all data that’s transferred between the client and these servers with TLS.
After you generate the web server certificate, you can assign this certificate to the following ConfigMgr roles:
- Management point
- Distribution point
- Software update point
Prerequisites
The prerequisites for creating the web server certificate for SCCM are as follows:
- You must log in to the certificate authority server with a root domain administrator account or an enterprise domain administrator account.
- You’ll need a server authentication certificate and the template used will be Web Server.
- The Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1)
- If the site system accepts connections from the internet, the Subject Name or Subject Alternative Name must contain the internet fully qualified domain name (FQDN).
- If the site system accepts connections from the intranet, the Subject Name or Subject Alternative Name must contain either the intranet FQDN (recommended) or the computer’s name, depending on how the site system is set up.
- This certificate must be placed in the Personal store in the Computer certificate store.
Deploy Web Server Certificate for IIS Site Systems
The entire procedure for creating and assigning a web server certificate for IIS site systems involves many steps. To make it easier to follow, I have split them into separate steps.
Step 1: Create SCCM IIS Servers security group in AD
First and foremost, you’ll need a security group created in Active Directory that contains all the SCCM site system servers that run IIS. This makes it easy to assign the web server certificate to a group of servers.
Creating a security group in ADUC is straightforward. Launch the Active Directory Users and Computers snap-in. Right-click on the domain and select New > Group. Enter the name of the group as “SCCM IIS Servers” and choose the group type as Security and Group Scope as Global. Click OK.
After the security group is created, the next step is to add all the site system servers that run IIS to this group. To do that, right-click the SCCM IIS Servers group and select Properties. Switch to the Members tab and click the Add button and include all the site system servers that run IIS.
In the below screenshot, notice that we’ve added the ConfigMgr server to the group. This computer is a Configuration Manager primary site server running most of the roles. In your case, there could be multiple IIS servers that need to be part of this group.
Once you have made the changes, click Apply and OK.
Step 2: Create Web Server Certificate Template
To create a web server certificate template, sign in to the domain controller or a member server installed with Certificate Services and launch the Certificate Authority console. In the Certification Authority console, right-click Certificate Templates and click Manage to load the Certificate Templates console.
Right-click on the Web Server template and select Duplicate Template.
On the New Template properties window, switch to the Compatibility tab. Here configuring the following:
- Certificate Authority: Windows 2003 Server
- Certificate recipient: Windows XP/Server 2003
The compatibility settings determine which operating systems and versions can use the certificate. We have set the compatibility levels to the lowest possible level to ensure that this certificate works with the majority of operating systems. You can change the compatibility settings and select a higher-version operating system, such as Server 2012 R2 or 2016.
In the Properties of New Template dialog box, on the General tab, enter a template name to generate the web certificates that will be used on Configuration Manager site systems.
In the below example, the template display name entered is SCCM Web Server Certificate. The certificate generated will be valid for 2 years and the renewal period is configured to 6 weeks. Click Apply to save the changes.
Next, select the Subject Name tab, and make sure that Supply in the request is selected.
In this step, we configure the security permissions for the group. In the Properties of New Template dialog box, select the Security tab.
Remove the Enroll permission from the security groups: Domain Admins and Enterprise Admins. When you do this, both groups will have only Read and Write permissions.
In the Security tab, click on the Add button and add the SCCM IIS Servers security group that we created previously. For this group, allow the Enroll permission and Read permission. Click OK and close the Certificate Templates Console.
Step 3: Issue the SCCM Web Server Certificate
In this step, we will issue the SCCM web server certificate that we created in the above step. Once you complete this step, you can request the certificate on the site system servers running IIS.
In the Certificate Authority console, right-click on the Certificate Templates and select New > Certificate Template to Issue.
On the Enable Certificate Templates window, select SCCM Web Server Certificate and click OK.
Step 4: Enroll the Web Server Certificate on IIS Servers
This is a very important step where we log in to the servers running IIS and manually request the web server certificate that we created in the above step. Before you do this, it is recommended that you reboot the servers running the IIS.
On the member server running IIS, run the command Certlm.msc to open the Certificates console. In the console, expand Certificates (Local Computer) > Personal. Right-click Certificates, click All Tasks, and then click Request New Certificate.
On the Select Certificate Enrollment Policy page, click Next.
On the Request Certificates page, identify the SCCM Web Server Certificate from the list of displayed certificates, and then click More information is required to enroll for this certificate. Click here to configure settings.
In the Certificate Properties dialog box, in the Subject tab, do not make any changes to the Subject name. In the Alternative name section, click the Type drop-down list, and then select DNS. In the Value box, specify the site server FQDN.
On the Certificate Properties window, switch to the General tab and specify the friendly name as SCCM Web Server Certificate or something with which the certificate can be easily identified. Click Apply and OK.
Back to the Request Certificates page, select SCCM Web Server Certificate from the list of displayed certificates, and then click Enroll.
You’ve successfully enrolled the web server certificate on IIS servers. Close the Certificate Enrollment window.
Step 5: Configure IIS to Use the Web Server Certificate
In this step, we will configure IIS to use the web server certificate that we had configured in the above steps. On the member server that has IIS installed, launch the Internet Information Services (IIS) Manager. Expand Sites, right-click Default Web Site, and then select Edit Bindings.
On the Site Bindings window, select https and click on Edit. In the Edit Site Binding dialog box, click the drop-down for SSL Certificate and select the SCCM web server certificate and click OK.
That’s it. You have now configured the IIS to use the web server certificate. You have to repeat this step on every site server that is running Internet Information Services.
Is there a reason for selecting Windows 2003 Server over other options? Just asking as 2003 *should* be long gone from most environments.
Just wanted to thank you for this writeup. This is all I was missing to make my DP active. Cheers!!
Good afternoon Prajwal
I was wondering what is actually the purpose of using SSL or a certificate on your sccm server. I want to use SCCM for managing my clients, deploy applications, deploy complaince policy and generate reports. Why would i need a certificate for my sccm server.
In short using the cert you secure the communication between DP’s and clients using HTTPS.
Hi,
I am experiencing an issue wherein my Management Point cannot connect using HTTPS.
When I look at the logs (mpcontrol.log) I notice that the certificate I produced does not support SSL.
I receive the message – Certificate doesn’t have “SSL Client Authentication” capabilities
I am confident that I followed your tutorial precisely and am wondering if you have encountered this error before?
Thank you
Hi,
Since DPs use IIS do I need to deploy IIS certificate on these DPs?
Thank you for your reply.
Good tenhnet.
How do I renew this certificate?
The other 2 are good till 2021 but the Web Server Certificate was expired.
I did this:
MMC/Certificates (Local Computer)/Personal
rightclick on SCCM Web Service Certificate and then All Tasks, Advanced Operations, Renew Cert with same key
Got a new one, changed cert in IIS, run IISreset.
The site is working again BUT
Cannot connect to applicationserver
For the first step “Create a security group named SCCM IIS Servers that contains the member servers to install System Center 2012 Configuration Manager site systems that will run IIS.” How can I add the server to that group if it is in a different domain as the CA?
Thanks for this, we followed the guide through and all is working perfectly. Can you tell us what will happen in two years time when we need to renew the certificate? Will it automatically renew?
Prajwal,
We get all of our certs from an external CA. What steps do you take when you don’t have a CA within your domain? I don’t have an option for Certificate Templates in Server 2016 Certificate management.
Thanks,
Nick
Hello Prajwal & people,
Is the Web Server Certificate required for the Primary site (No MP/DP/SUP role installed on) ???
Your opinion?
Thank you in advance,
Luc
No in that case the cert is not required.
Thank you very much.
Hi Prajwal,
First of all thank you for the help in SCCM.
I have an issue. I’m in the process of adding MAC PCs to SCCM 2012 R2. And while im trying to follow your guide im stuck at adding “SCCM IIS Servers” to the security tab when trying to
Deploying Web Server Certificate for Site Systems that Run IIS.Their is no user group or any OUI called as such. What should i do to fix the issue?
Thanks in advance.
Please post the questions in community forums.
Prajwal,
I am also curious about the statement above regarding “SCCM IIS Servers” group. I am attempting perform a similar configuration and also do not have the group in my AD or on the Stand Alone SCCM server. What is the purpose of this group and does it get automatically created somewhere?
Go back and CAREFULLY read the instructions. One of the first steps is to create the group yourself. If you’re having trouble at that step, perhaps you should think about working in a different field.
Hi Prajwal,
Same issue I encountered. Can you explain what does “SCCM IIS Server” for? Do I need to create a Group named “SCCM IIS Server” on my domain controller?
Looking forward for your response,
Thanks and more power.
I do not have the Certificate Template in certsvr.csv does somebody know why
Dude, your blogs are better then technet, systemcenterdudes, & windowsnoob combined. I really apprecaite how you literally go step by step leaving nothing left to the avg Sys Admins imagination :), onto step 2 for mac enrollment :):):) very happy to have stumbled upon this, may I add you to my linkedin profile? I want to be up to date on your posts, website urls etc. Loyal Follower!!! lol 🙂