[Topics referencing Configuration Manager 2007 R2 are pre-release documentation and are subject to change in future releases.]
The following site systems require Web server certificates when a Configuration Manager 2007 site is configured for native mode:
-
Management points (default management point, proxy management point, network load balanced management point, and Internet-based management point)
-
Standard distribution points (servers and shares) that are configured with the option Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS (required for device clients and Internet-based clients).
-
Software update points
-
State migration points
Deploying the Web server certificates is a two-step process:
-
Install the Web server certificate on the server.
-
Configure Internet Information Services (IIS) to use the Web server certificate.
Installing the Web Server Certificate on a Server
There are a number of ways you can install the Web server certificates, including the following methods:
-
If you are using a Microsoft public key infrastructure (PKI) with an Enterprise certification authority, you can create the certificates based on the Web server template and assign them to the servers using Group Policy and auto-enrollment.
-
If you are using a Microsoft PKI with Web enrollment, you can request a Web server certificate from each server, using the Web enrollment pages.
-
You can request the certificate from each server through Internet Information Services (IIS), using the Web Server Certificate Wizard as either an online request or a file request. You launch this wizard from the Web site properties, by clicking the Directory Security tab and then clicking Server Certificate.
-
You can request and retrieve the certificate using the Microsoft Certreq command-line utility.
-
If you can create the certificate with your certificate management tools, you can export it and import it on each server.
.gif) Note |
|---|
|
For information about how to specify more than one fully qualified domain name (FQDN) in the certificate Subject Alternative Name field (for example, if the site system supports intranet and Internet client connections, or is a network load balancing site system), see the following article about how to add a subject alternative name to a secure LDAP certificate: http://go.microsoft.com/fwlink/?LinkId=93692. |
Configure IIS to Use the Web Server Certificate on a Server
When you have installed the Web server certificate, you then need to configure Internet Information Services (IIS) so that the Configuration Manager 2007 Web site uses the certificate for authentication and encryption. You can script this installation or use the Internet Information Services (IIS) Manager console
To configure IIS to use the Web server certificate using the Internet Information Services (IIS) Manager console, edit the properties of the Web site used by Configuration Manager 2007, and select the server certificate to use by clicking Server Certificate on the Directory Security tab. This launches the Web Server Certificate Wizard, which prompts you to select the Web server certificate to use.
See Also