You use the SCMDM2008WebServer and SCMDM2008MobileDevice templates to create certificates for MDM Web sites and devices, respectively, and the SCMDM2008GCM template for the Gateway Central Management (GCM) service. These templates are created when you run AdConfig.exe together with the /createtemplates parameter. During the installation process for each MDM server role, the certificates generate and install automatically. You can also create these certificates and templates manually as detailed in the following section. As soon as they are created, you must issue the MDM certificate templates.

To create a certificate template

1. On the certification authority server, in Administrative Tools, open the Certification Authority console.

2. On the Certification Authority page, in the navigation pane, right-click Certificate Templates, and then select Manage.

3. Create your certificate template by using the information in the section Certificate Templates in MDM (Overview) for SCMDM2008GCM, SCMDM2008WebServer, and SCMDM2008MobileDevice certificate templates.

To issue a certificate template

1. On the certification authority server, in Administrative Tools, open the Certification Authority console.

2. Right-click Certificate Templates, choose New, and then choose Certificate Template to Issue.

3. Select the MDM certificate template and then choose OK.

   Note:
   You must repeat these steps for each MDM certificate template: SCMDM2008GCM, SCMDM2008WebServer, and SCMDM2008MobileDevice.

The SCMDM2008WebServer template will let an administrator create certificates for the following MDM IIS 6.0 Web sites:

MDM Device Management Server

Web site	Virtual Directory in IIS	Subject name
Device Management Server Web site certificate	MobileDeviceManager	MDM Device Management Server or load balancer FQDN, for example, dm.contoso.com
Device Management Server Administration Web site certificate	MobileDeviceManagerAdmin	MDM Device Management Server or load balancer FQDN, for example, dm.contoso.com

MDM Enrollment Server

Web site	Virtual Directory in IIS	Subject name
Enrollment Server External Web site certificate	Enrollment	External enrollment server or load balancer FQDN, for example, mobileenroll.contoso.com
Enrollment Server Administration Web site certificate	EnrollmentAdmin	Internal enrollment server or load balancer FQDN, for example, es.contoso.com

The procedures to create and install the certificates are the same for all Web sites except that each Web site will use a different common name and a different port configuration.

The following procedure provides one way to create a certificate for the MDM Web sites. This procedure does not require the SCMDM2008WebServer template. MDM Setup requires the templates to create and bind the correct certificates to the Enrollment and Device Management Web sites. Setup does this automatically, without requiring administrator intervention. When you perform the steps manually, the standard Web Server template will be used. Alternatively, you can complete this process when you access the online certification authority by going to the Web site, https://[CAServerName]/certsrv, and then select the SCMDM2008WebServer template.

To create and store an IIS certificate for an MDM Web site

1. On MDM Enrollment Server or MDM Device Management Server, on the Start menu, choose Administrative Tools, and then choose Internet Information Services (IIS) Manager.

2. On the IIS console, expand the server node, and then expand Web Sites. Right-click the virtual directory for the certificate that you want to install and then select Properties.

   Important:
   Again, reference the previous table that lists the Web sites and virtual directories when you make this selection. The selection is Admin, Enrollment, EnrollmentAdminService, or DM.

3. The site Properties dialog box appears. Choose the Directory Security tab.

4. On the Directory Security tab, choose Server Certificate. The Welcome to the Web Server Certificate Wizard appears. Choose Next.

5. On the Server Certificate page, select Create a new certificate, and then choose Next.

6. Choose Send the request immediately to an online certification authority, and then choose Next.

7. On the Name and Security Settings page, type a name for the certificate, and then choose Next.

8. On the Organization Information page, type your company name and organization.

9. On the Your Site’s Common Name page, type the FQDN of the server or the load balancer.

10. Choose Next.

11. On the Geographical Information page, choose the Country/Region, the State/province, and the City/locality, and then choose Next.

12. On the SSL Port page, in the SSL port this web site should use section, type the SSL port to use for the virtual directory. It is important to choose a unique SSL port for each virtual directory if there is the possibility of interference with another Web service.

13. On the Choose a Certification Authority page, in the Certification authorities section, select the name of the certification authority to use, and then choose Next.

14. In the Certificate Request Submission dialog box, review the information, and then choose Next.

15. When the certificate process is complete, a notification message appears. Choose Finish.

The MDM GCM service resides on MDM Device Management Server and helps make sure that the communication between MDM Device Management Server and MDM Gateway Server is more secure. The procedures to create this certificate differ because this certificate is for a service instead of a Web site. The SCMDM2008GCM template provides this certificate to MDM Device Management Server.

To create and install the GCM certificate

1. On MDM Device Management Server, open Internet Explorer. In the Address bar, type https://[yourCA]/certsrv where yourCA is the name or IP address of the certification authority.

2. Select Request a Certificate, and then select Advanced Certificate Request.

3. Select Create and Submit a Request to this CA.

4. On the Advanced Certificate Request page, in the Certificate Template section, select SCMDM2008GCM from the list.

5. Type the FQDN of the MDM Device Management Server for Name.

6. Select the Store certificate in the local computer certificate store check box.

7. Choose Submit.

8. If the Potential Scripting Violation page appears, choose Yes.

9. On the Certificate Issued page, select Install this certificate. If the Potential Scripting Violation page appears, choose Yes.

10. The Certificate Installed page appears. Confirm the installation and then close Internet Explorer.

The MDM GCM service on MDM Device Management Server must have network permissions on the certificate to use it for more secure communication with MDM Gateway Server. Follow these steps immediately after you complete the previous steps.

To provide network service permissions to the certificate

1. On MDM Device Management Server, open a Command Prompt window.

2. Move to the %SystemDrive%:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys directory.

3. Type dir /as /od, and then press ENTER. A list of private keys appears in ascending date order with the most recent key appearing last. Copy this string to Notepad for future reference. The format should resemble the following: 9aeda5eb71565f14f9f9560765b3a40d_39f7de58-5ee9-432d-8a6a-92783d7140b1.

   Important:
   You only have to copy the machine key if the MDM GCM certificate was the last certificate created. Alternatively, to find the private key of a certificate, build the sample project at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkID=103625.

4. In the %SystemDrive%:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys directory, run the following command:

   cacls “C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\<hash>” /E /G Network:R  

   Note:
   This sample assumes that [C:] is the system drive label for your computer. <hash> is the hash key from Step 3.

5. Close the Command Prompt window.