This guide covers the steps to create and enroll a web server certificate for IIS site systems in SCCM. A web server certificate is used to encrypt data and authenticate the server to clients. This essential guide is a part of PKI certificate deployment for SCCM.
After installing the root CA for SCCM, the next step is to create a web server certificate and assign it to the site systems that run IIS and support HTTPS client connections.
According to Microsoft, the web server certificate serves two main purposes:
- Authenticate the servers to the client.
- Encrypt all data that’s transferred between the client and these servers with TLS.
After you generate the web server certificate, you can assign this certificate to the following ConfigMgr roles:
- Management point
- Distribution point
- Software update point
Prerequisites
The prerequisites for creating the web server certificate for SCCM are as follows:
- You must log in to the certificate authority server with a root domain administrator account or an enterprise domain administrator account.
- You’ll need a server authentication certificate and the template used will be Web Server.
- The Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1)
- If the site system accepts connections from the internet, the Subject Name or Subject Alternative Name must contain the internet fully qualified domain name (FQDN).
- If the site system accepts connections from the intranet, the Subject Name or Subject Alternative Name must contain either the intranet FQDN (recommended) or the computer’s name, depending on how the site system is set up.
- This certificate must be placed in the Personal store in the Computer certificate store.
Deploy Web Server Certificate for IIS Site Systems
The entire procedure for creating and assigning a web server certificate for IIS site systems involves many steps. To make it easier to follow, I have split them into separate steps.
Step 1: Create SCCM IIS Servers security group in AD
First and foremost, you’ll need a security group created in Active Directory that contains all the SCCM site system servers that run IIS. This makes it easy to assign the web server certificate to a group of servers.
Creating a security group in ADUC is straightforward. Launch the Active Directory Users and Computers snap-in. Right-click on the domain and select New > Group. Enter the name of the group as “SCCM IIS Servers” and choose the group type as Security and Group Scope as Global. Click OK.

After the security group is created, the next step is to add all the site system servers that run IIS to this group. To do that, right-click the SCCM IIS Servers group and select Properties. Switch to the Members tab and click the Add button and include all the site system servers that run IIS.
In the below screenshot, notice that we’ve added the ConfigMgr server to the group. This computer is a Configuration Manager primary site server running most of the roles. In your case, there could be multiple IIS servers that need to be part of this group.
Once you have made the changes, click Apply and OK.

Step 2: Create Web Server Certificate Template
To create a web server certificate template, sign in to the domain controller or a member server installed with Certificate Services and launch the Certificate Authority console. In the Certification Authority console, right-click Certificate Templates and click Manage to load the Certificate Templates console.

Right-click on the Web Server template and select Duplicate Template.

On the New Template properties window, switch to the Compatibility tab. Here configuring the following:
- Certificate Authority: Windows 2003 Server
- Certificate recipient: Windows XP/Server 2003
The compatibility settings determine which operating systems and versions can use the certificate. We have set the compatibility levels to the lowest possible level to ensure that this certificate works with the majority of operating systems. You can change the compatibility settings and select a higher-version operating system, such as Server 2012 R2 or 2016.

In the Properties of New Template dialog box, on the General tab, enter a template name to generate the web certificates that will be used on Configuration Manager site systems.
In the below example, the template display name entered is SCCM Web Server Certificate. The certificate generated will be valid for 2 years and the renewal period is configured to 6 weeks. Click Apply to save the changes.

Next, select the Subject Name tab, and make sure that Supply in the request is selected.

In this step, we configure the security permissions for the group. In the Properties of New Template dialog box, select the Security tab.
Remove the Enroll permission from the security groups: Domain Admins and Enterprise Admins. When you do this, both groups will have only Read and Write permissions.

In the Security tab, click on the Add button and add the SCCM IIS Servers security group that we created previously. For this group, allow the Enroll permission and Read permission. Click OK and close the Certificate Templates Console.

Step 3: Issue the SCCM Web Server Certificate
In this step, we will issue the SCCM web server certificate that we created in the above step. Once you complete this step, you can request the certificate on the site system servers running IIS.
In the Certificate Authority console, right-click on the Certificate Templates and select New > Certificate Template to Issue.

On the Enable Certificate Templates window, select SCCM Web Server Certificate and click OK.

Step 4: Enroll the Web Server Certificate on IIS Servers
This is a very important step where we log in to the servers running IIS and manually request the web server certificate that we created in the above step. Before you do this, it is recommended that you reboot the servers running the IIS.
On the member server running IIS, run the command Certlm.msc to open the Certificates console. In the console, expand Certificates (Local Computer) > Personal. Right-click Certificates, click All Tasks, and then click Request New Certificate.

On the Select Certificate Enrollment Policy page, click Next.

On the Request Certificates page, identify the SCCM Web Server Certificate from the list of displayed certificates, and then click More information is required to enroll for this certificate. Click here to configure settings.

In the Certificate Properties dialog box, in the Subject tab, do not make any changes to the Subject name. In the Alternative name section, click the Type drop-down list, and then select DNS. In the Value box, specify the site server FQDN.

On the Certificate Properties window, switch to the General tab and specify the friendly name as SCCM Web Server Certificate or something with which the certificate can be easily identified. Click Apply and OK.

Back to the Request Certificates page, select SCCM Web Server Certificate from the list of displayed certificates, and then click Enroll.

You’ve successfully enrolled the web server certificate on IIS servers. Close the Certificate Enrollment window.

Step 5: Configure IIS to Use the Web Server Certificate
In this step, we will configure IIS to use the web server certificate that we had configured in the above steps. On the member server that has IIS installed, launch the Internet Information Services (IIS) Manager. Expand Sites, right-click Default Web Site, and then select Edit Bindings.

On the Site Bindings window, select https and click on Edit. In the Edit Site Binding dialog box, click the drop-down for SSL Certificate and select the SCCM web server certificate and click OK.

That’s it. You have now configured the IIS to use the web server certificate. You have to repeat this step on every site server that is running Internet Information Services.

Still Need Help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.