Native Mode Certificates and Double-Byte Character Sets
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
If your Configuration Manager 2007 hierarchy contains computers that are configured with computer names that use double-byte character sets (DBCS) and your sites will be configured for native mode, you might need to take additional configuration steps before these computers can operate in native mode.
Public key infrastructure standards do not currently allow for double-byte character sets, which affects the following computers in a native mode Configuration Manager 2007 site:
Standard distribution points that are not configured as server shares
Software update points
State migration points
The four site systems use Secure Sockets Layer (SSL) and therefore must be configured with a certificate that contains the server name in the subject name or the subject alternative name. This server name must match the server name configured in Configuration Manager 2007. If these site systems in Configuration Manager 2007 are configured with computer names that contain double-byte characters, rename them so that they have computer names using only single-byte characters.
Client certificates for native mode require a unique value in the certificate subject name or the certificate subject alternative name. This unique value does not have to contain the computer name, although this is usual practice and the default value if you are deploying client certificates with a Microsoft Enterprise certification authority, using templates and autoenrollment with Group Policy.
When you have clients that are configured with computer names that consist of double-byte characters, ensure that client certificates do not use double-byte characters for their unique value. If you are using a Microsoft public key infrastructure (PKI) Enterprise certification authority, some possible solutions are as follows:
Rename the computer using a single-byte character set.
Use an alternative option for the automatically generated certificate subject alternative name with a version 2 template if this generates a string using all single-byte characters. Some alternative options include the universal principle name (UPN) or e-mail name.
Do not use autoenrollment with templates; instead, use another process, such as submitting a string of single-byte characters when requesting a certificate with the use of templates or the CertReq utility.
If you are using a non-Microsoft PKI solution, consult your PKI documentation for solutions on how to generate client certificates that do not use double-byte character sets.
ConceptsCertificate Requirements for Native Mode
Other ResourcesDeploying the PKI Certificates Required for Native Mode
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.