Export (0) Print
Expand All
3 out of 6 rated this helpful - Rate this topic

How to Export Certificates For Use With Operating System Deployment

Updated: August 1, 2013

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

When the Configuration Manager 2007 site is operating in native mode, operating system deployments that require communication with the management point must be configured to use a public key infrastructure (PKI) certificate. For more information about the certificate requirements for operating system deployment, see About Native Mode Certificates and Operating System Deployment.

To configure the operating system deployments with the required certificate, import a Public Key Certificate Standard (PKCS #12) file. The creation of this file is external to Configuration Manager 2007; however, you can use the following procedures to create this file.

Before following these procedures, the certificate must already be deployed to a computer. The certificate requirements are as follows:

  • Intended use must include client authentication

  • The private key must be allowed to be exported

For more information about how to deploy computer certificates for Configuration Manager native mode communication, see Deploying the Client Computer Certificates to Clients and the Management Point.

ImportantImportant
The computer certificate required for operating system deployments is not the same computer certificate that will be required for Configuration Manager 2007 clients in a native mode site.

Considerations for creating and deploying the certificate for operating system deployments:

  • If you are using a Microsoft PKI solution, and using an Enterprise Edition of Windows Server 2003 Certificate Services with templates for auto enrollment, you can use either the computer template or the workstation template. However, you must modify the template (duplicate it, and modify the copy) so that the option Allow Private key to be exported is enabled on the Request Handling tab of the certificate template.

  • Unlike most computer certificates, this certificate is not restricted to or owned by a specific computer, but is shared temporarily by all computers that are targeted with operating system deployments in the native mode site. Because of this behavior, consider creating the certificate with a unique attribute for identification (such as custom Subject Name or Subject Alternative Name), and use it only for operating system deployments. Should the certificate ever become compromised, it can then be easily identified and revoked without affecting other computers.

  • Consider having a longer than usual validity period to reduce the administrative overheads of reconfiguring operating system deployments in line with the certificate expiry date.

When the certificate is deployed to a computer, you can then use the following procedures to export the certificate so that you can use it with operating system deployments. If you are using a PXE service point, import the exported certificate as part of the database configuration properties. If you are creating boot media, import the exported certificate on the Security page of the Task Sequence Media wizard.

To export a certificate for use with operating system deployment - from a computer running Windows 7 or Windows Vista

  1. On the Windows 7 or Windows Vista computer that has the certificate installed, log in as a local administrator, click Start, type mmc into the Search box, and then press ENTER.

  2. In the empty console, click File, and then click Add/Remove Snap-in.

  3. In the Add/Remove Snap-in dialog box, select Certificates, and then click Add.

  4. On the Certificates snap-in page, select Computer account, and then click Next.

  5. On the Select Computer dialog box, ensure the option Local computer: (the computer this console is running on) is selected, and then click Finish.

  6. To close the Add Standalone Snap-in dialog box, click OK.

  7. In the console, double-click Certificates (Local Computer).

  8. In the console, expand Personal.

  9. Locate the certificate to use with operating system deployment deployments.

  10. Right-click the certificate you require, click All Tasks, and then click Export to start the Certificate Export Wizard.

  11. On the Certificate Export Wizard Welcome page, click Next.

  12. On the Export Private Key page, select Yes, export the private key, and then click Next.

    noteNote
    If this option is not available, the certificate has been created without the option to export the private key. In this scenario, you cannot export the certificate in the required format.

  13. On the Export File Format page, ensure that the option Personal Information Exchange - PKCS #12 (.PFX) is selected.

    noteNote
    Optionally, select Delete the private key if the export is successful, which ensures that the certificate cannot be used on the computer after you have exported it. This will help to ensure that the certificate is used only for operating system deployments. Alternatively, you can manually delete the certificate on the computer after the export procedure is complete.

  14. On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next.

  15. On the File to Export page, specify the name of the file that you want to export, and then click Next.

  16. To close the wizard, click Finish in the Certificate Export Wizard dialog box.

  17. Store the file securely and ensure that you can access it from the Configuration Manager console.

To export a certificate for use with operating system deployment - from a computer running Windows XP Professional, or Windows Server 2003

  1. On the Windows XP Professional or Windows Server 2003 computer that has the certificate installed, click Start, click Run, type MMC in the Run dialog box, and then click OK.

  2. In the empty console, click File, and then click Add/Remove Snap-in.

  3. In the Add/Remove Snap-in dialog box, click Add.

  4. In the Add Standalone Snap-in dialog box, select Certificates, and then click Add.

  5. In the Certificates snap-in dialog box, click Computer account, and then click Next.

  6. In the Select Computer dialog box, ensure that the option Local computer: (the computer this console is running on) is selected, and then click Finish.

  7. In the Add Standalone Snap-in dialog box, click Close.

  8. In the Add/Remove Snap-in dialog box, click OK.

  9. In the console, expand Certificates (Local Computer).

  10. Expand Personal, and then click Certificates.

  11. In the results pane, locate the certificate that you need for operating system deployments.

  12. Right-click the certificate that you require, click All Tasks, and then click Export.

  13. In the Certificate Export Wizard, click Next.

  14. On the Export Private Key page, select Yes, export the private key, and then click Next.

    noteNote
    If this option is not available, the certificate has been created without the option to export the private key. In this scenario, you cannot export the certificate in the required format.

  15. On the Export File Format page, ensure that the following option Personal Information Exchange - PKCS #12 (.PFX) is selected.

    noteNote
    Optionally, select Delete the private key if the export is successful, which ensures that the certificate cannot be used on the computer after you have exported it. This will help to ensure that the certificate is used only for operating system deployments. Alternatively, you can manually delete the certificate on the computer after the export procedure is complete.

  16. On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next.

  17. On the File to Export page, specify the name of the file you want to export and click Next.

  18. In the Certificate Export Wizard dialog box, click OK to close the wizard.

  19. Store the file securely and ensure that you can access it from the Configuration Manager console.

See Also

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.