This guide covers the steps to create and enroll a web server certificate for IIS site systems in SCCM. A web server certificate is used to encrypt data and authenticate the server to clients. This essential guide is a part of PKI certificate deployment for SCCM.

After installing the root CA for SCCM, the next step is to create a web server certificate and assign it to the site systems that run IIS and support HTTPS client connections.

According to Microsoft, the web server certificate serves two main purposes:

  1. Authenticate the servers to the client.
  2. Encrypt all data that’s transferred between the client and these servers with TLS.

After you generate the web server certificate, you can assign this certificate to the following ConfigMgr roles:

  • Management point
  • Distribution point
  • Software update point

Prerequisites

The prerequisites for creating the web server certificate for SCCM are as follows:

  1. You must log in to the certificate authority server with a root domain administrator account or an enterprise domain administrator account.
  2. You’ll need a server authentication certificate and the template used will be Web Server.
  3. The Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1)
  4. If the site system accepts connections from the internet, the Subject Name or Subject Alternative Name must contain the internet fully qualified domain name (FQDN).
  5. If the site system accepts connections from the intranet, the Subject Name or Subject Alternative Name must contain either the intranet FQDN (recommended) or the computer’s name, depending on how the site system is set up.
  6. This certificate must be placed in the Personal store in the Computer certificate store.

Deploy Web Server Certificate for IIS Site Systems

The entire procedure for creating and assigning a web server certificate for IIS site systems involves many steps. To make it easier to follow, I have split them into separate steps.

Step 1: Create SCCM IIS Servers security group in AD

First and foremost, you’ll need a security group created in Active Directory that contains all the SCCM site system servers that run IIS. This makes it easy to assign the web server certificate to a group of servers.

Creating a security group in ADUC is straightforward. Launch the Active Directory Users and Computers snap-in. Right-click on the domain and select New > Group. Enter the name of the group as “SCCM IIS Servers” and choose the group type as Security and Group Scope as Global. Click OK.

Create SCCM IIS Servers security group in AD
Create SCCM IIS Servers security group in AD

After the security group is created, the next step is to add all the site system servers that run IIS to this group. To do that, right-click the SCCM IIS Servers group and select Properties. Switch to the Members tab and click the Add button and include all the site system servers that run IIS.

In the below screenshot, notice that we’ve added the ConfigMgr server to the group. This computer is a Configuration Manager primary site server running most of the roles. In your case, there could be multiple IIS servers that need to be part of this group.

Once you have made the changes, click Apply and OK.

Create SCCM IIS Servers security group in AD
Create SCCM IIS Servers security group in AD

Step 2: Create Web Server Certificate Template

To create a web server certificate template, sign in to the domain controller or a member server installed with Certificate Services and launch the Certificate Authority console. In the Certification Authority console, right-click Certificate Templates and click Manage to load the Certificate Templates console.

Create Web Server Certificate Template
Create Web Server Certificate Template

Right-click on the Web Server template and select Duplicate Template.

Create Web Server Certificate Template
Create Web Server Certificate Template

On the New Template properties window, switch to the Compatibility tab. Here configuring the following:

  1. Certificate Authority: Windows 2003 Server
  2. Certificate recipient: Windows XP/Server 2003
Create Web Server Certificate Template
Create Web Server Certificate Template

In the Properties of New Template dialog box, on the General tab, enter a template name to generate the web certificates that will be used on Configuration Manager site systems.

In the below example, the template display name entered is SCCM Web Server Certificate. The certificate generated will be valid for 2 years and the renewal period is configured to 6 weeks. Click Apply to save the changes.

Specify Web Server Certificate Template name
Specify Web Server Certificate Template name

Next, select the Subject Name tab, and make sure that Supply in the request is selected.

Web Server Certificate Template Subject Name
Web Server Certificate Template Subject Name

In this step, we configure the security permissions for the group. In the Properties of New Template dialog box, select the Security tab.

Remove the Enroll permission from the security groups: Domain Admins and Enterprise Admins. When you do this, both groups will have only Read and Write permissions.

Web Server Certificate Template Security
Web Server Certificate Template Security

In the Security tab, click on the Add button and add the SCCM IIS Servers security group that we created previously. For this group, allow the Enroll permission and Read permission. Click OK and close the Certificate Templates Console.

Web Server Certificate Template Security
Web Server Certificate Template Security

Step 3: Issue the SCCM Web Server Certificate

In this step, we will issue the SCCM web server certificate that we created in the above step. Once you complete this step, you can request the certificate on the site system servers running IIS.

In the Certificate Authority console, right-click on the Certificate Templates and select New > Certificate Template to Issue.

Issue the SCCM Web Server Certificate
Issue the SCCM Web Server Certificate

On the Enable Certificate Templates window, select SCCM Web Server Certificate and click OK.

Issue the SCCM Web Server Certificate
Issue the SCCM Web Server Certificate

Step 4: Enroll the Web Server Certificate on IIS Servers

This is a very important step where we log in to the servers running IIS and manually request the web server certificate that we created in the above step. Before you do this, it is recommended that you reboot the servers running the IIS.

On the member server running IIS, run the command Certlm.msc to open the Certificates console. In the console, expand Certificates (Local Computer) > Personal. Right-click Certificates, click All Tasks, and then click Request New Certificate.

Request the Web Server Certificate on IIS Servers
Request the Web Server Certificate on IIS Servers

On the Select Certificate Enrollment Policy page, click Next.

Request the Web Server Certificate on IIS Servers
Request the Web Server Certificate on IIS Servers

On the Request Certificates page, identify the SCCM Web Server Certificate from the list of displayed certificates, and then click More information is required to enroll for this certificate. Click here to configure settings.

Enroll SCCM Web Server Certificate
Enroll SCCM Web Server Certificate

In the Certificate Properties dialog box, in the Subject tab, do not make any changes to the Subject name. In the Alternative name section, click the Type drop-down list, and then select DNS. In the Value box, specify the site server FQDN.

Enroll SCCM Web Server Certificate
Enroll SCCM Web Server Certificate

On the Certificate Properties window, switch to the General tab and specify the friendly name as SCCM Web Server Certificate or something with which the certificate can be easily identified. Click Apply and OK.

Enroll SCCM Web Server Certificate
Enroll SCCM Web Server Certificate

Back to the Request Certificates page, select SCCM Web Server Certificate from the list of displayed certificates, and then click Enroll.

Enroll SCCM Web Server Certificate on IIS Servers
Enroll SCCM Web Server Certificate on IIS Servers

You’ve successfully enrolled the web server certificate on IIS servers. Close the Certificate Enrollment window.

Enroll SCCM Web Server Certificate on IIS Servers
Enroll SCCM Web Server Certificate on IIS Servers

Step 5: Configure IIS to Use the Web Server Certificate

In this step, we will configure IIS to use the web server certificate that we had configured in the above steps. On the member server that has IIS installed, launch the Internet Information Services (IIS) Manager. Expand Sites, right-click Default Web Site, and then select Edit Bindings.

Configure IIS to Use the Web Server Certificate
Configure IIS to Use the Web Server Certificate

On the Site Bindings window, select https and click on Edit. In the Edit Site Binding dialog box, click the drop-down for SSL Certificate and select the SCCM web server certificate and click OK.

Install and Update Third Party Applications with Patch My PC
Install and Update Third Party Applications with Patch My PC

That’s it. You have now configured the IIS to use the web server certificate. You have to repeat this step on every site server that is running Internet Information Services.

Configure IIS to Use the Web Server Certificate
Configure IIS to Use the Web Server Certificate

 

Still Need Help?

If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.

Prajwal Desai

Prajwal Desai is a technology expert and 10 time Dual Microsoft MVP (Most Valuable Professional) with a strong focus on Microsoft Intune, SCCM, Windows 365, Enterprise Mobility, and Windows. He is a renowned author, speaker, & community leader, known for sharing his expertise & knowledge through his blog, YouTube, conferences, webinars etc.