Export (0) Print
Expand All
Expand Minimize

Decide How to Deploy the Site Server Signing Certificate to Clients (Native Mode)

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

The Configuration Manager 2007 site server uses the site server signing certificate in native mode to sign policies that are downloaded by clients from the management point. To verify the signature, clients require a copy of this certificate. After clients receive the certificate, it is stored in the client registry and used whenever new policies are sent from the management point.

noteNote
The site server signing certificate is not stored in the Certificate store on clients; instead, it is stored in a protected area of the registry.

There are three methods to deploy the site server signing certificate to client computers:

  • Automatically through Active Directory Domain Services.

  • Manually when the client is installed.

  • Automatically from the management point.

The recommended solution is to deploy the site server signing certificate to client computers through Active Directory Domain Services, because this method does not require any additional administration and the certificate is stored in a secured location independently from Configuration Manager 2007. However, this method has the following prerequisites:

  • The Active Directory schema is extended for Configuration Manager 2007.

  • The site is published to Active Directory Domain Services.

  • Clients can locate the published site information in Active Directory Domain Services.

    noteNote
    Clients that cannot read published information include computers from another Active Directory forest, clients from workgroup computers, and clients that are managed from the Internet.

If clients cannot retrieve a copy of the site server signing certificate from Active Directory Domain Services, consider deploying it to these clients with the client setup utility, CCMSetup.exe, using the client.msi parameter SMSSIGNCERT with the path and filename of the exported certificate. The disadvantage of this method is that it requires more administrative overhead, which might need to be repeated if the site server signing certificate changes or is renewed. For more information about CCMSetup options, see About Configuration Manager Client Installation Properties. For procedural information to export the certificate, see How to Export the Site Server Signing Certificate for Configuration Manager Client Installation.

If a copy of the site server signing certificate is not already installed on Configuration Manager 2007 clients when they connect to their management point and they cannot locate it from Active Directory Domain Services, the management point will automatically download it so that clients can verify the signed policies.

Of the three solutions, automatically deploying it with the management point is the least secure solution and should not be used if you have any doubts about the security of your management point. For example, a management point that resides in a perimeter network to accept connections from the Internet for Internet-based client management is considered less secure than a management point within your intranet that accepts only connections from intranet clients. However, automatically deploying a copy of the site server signing certificate through the management point might be an appropriate solution if the management point accepts only connections from intranet clients and you do not want the administrative overhead of manual deployment.

Choose the deployment method that best meets your business requirements. To help you determine how to deploy to clients a copy of the site server signing certificate, use the following guidelines.

Use Active Directory Domain Services to automatically deploy a copy of the site server signing certificate when all of the following conditions apply:

  • Active Directory Domain Services is extended with Configuration Manager 2007 schema extensions, and the site is published to Active Directory Domain Services.

  • Clients can read the published site information, which excludes clients from untrusted domains, clients from workgroups, and clients on the Internet.

Manually deploy a copy of the site server signing certificate if any of the following conditions apply:

  • You cannot use Active Directory Domain Services to deploy a copy of the site server signing certificate.

  • Clients connect to a management point that is configured for Internet-based client management.

  • The security risk of automatically installing a copy of the site server signing certificate from the management point outweighs the additional administrative overhead of manual deployment.

Automatically deploy a copy of the site server signing certificate using the management point if all of the following conditions apply:

  • You cannot use Active Directory Domain Services to deploy a copy of the site server signing certificate.

  • The management point is secured within your intranet and is not configured for Internet-based client management.

  • The administrative overhead of manual deployment outweigh the security risk of automatically installing a copy of the site server signing certificate from the management point.

See Also

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft