Manual Certificate Procedures
2/9/2009
Use the following information to help you create System Center Mobile Device Manager certificates manually. This includes the following topics:
- Certificate Templates in MDM (Overview)
- Creating MDM Certificate Templates
- Issuing Certificates by Using the MDM Templates
- Create and Install Certificates from the SCMDMGCM Template
- Updating Certificate Template Object Identifiers (known as OIDs) in the Active Directory service connection points (SCPs)
For best results, all certificates should chain to the same company certification authority root.
Certificate Templates in MDM (Overview)
During MDM installation, Setup creates certificate templates automatically by using the /createtemplates parameter in the Active Directory Configuration Tool (ADConfig). However, if you install certificates manually, you must create the certificate templates.
Important
If your organization chooses to install MDM certificates manually, you should not perform Active Directory certificate configuration by using the /createtemplates and /enabletemplates parameters in ADConfig. If you install certificates manually, you must follow the steps in Step 1c: Granting Certification Authority Permission to Revoke a Device Enrollment (Optional). We strongly recommend that you perform the automated certificate process and not the manual process.
The following shows the MDM Web sites and services that require secure communication. You must create your own certificate templates. The following tables show examples of the certificate templates, and certificates, that MDM creates.
MDM Device Management Server
MDM Web site/service | MDM certificate template |
---|---|
Administration Web site |
SCMDMWebServer (<instance name>) |
Device Management Web site |
SCMDMWebServer (<instance name>) |
GCM Service |
SCMDMGCM (<instance name>) |
MDM Enrollment Server
MDM Web site | MDM certificate template |
---|---|
Enrollment Web site |
SCMDMWebServer (<instance name>) |
Administration Web site
|
SCMDMWebServer (<instance name>) |
MDM Gateway Server
MDM Web site | MDM certificate template |
---|---|
Gateway Web site |
SCMDMWebServer (<instance name>) |
Windows Mobile Device
MDM devices | MDM certificate template |
---|---|
Device authentication |
SCMDMMobileDevice (<instance name>) |
The following provides general information about MDM certificate templates.
SCMDMGCM (<Instance Name>) Template
Property | Value |
---|---|
Validity period |
Two years |
Renewal period |
Six weeks |
Request minimum key size |
1024 for signature and encryption |
Configuration service provider |
Microsoft DSS and Diffie-Hellman (D-H) SChannel Cryptographic Provider and Microsoft RSA SChannel Cryptographic Provider |
Subject Name |
Supply in the request |
Extended key usage (EKU) and application policies |
Client authentication, 1.3.6.1.4.1.311.65.1.1 (specific to MDM MDM GCM client authentication) |
Key usage |
Digital signature: Enable key exchange only with key encryption |
SCMDMDeviceManagementServers and SCMDMServerAdmins security permission |
Enroll |
Authenticated users security permission |
Read |
Domain Administrator, enterprise administrator security permission |
Full control |
SCMDMWebServer (<Instance Name>) Template
Property | Value |
---|---|
Validity period |
Two years |
Renewal period |
Six weeks |
Request minimum key size |
1024 for signature and encryption |
Configuration service provider |
Microsoft D-H SChannel Cryptographic Provider and Microsoft RSA SChannel Cryptographic Provider |
Subject name |
Supply in the request |
EKU and application policies |
Server authentication |
Key usage |
Digital signature: Enable key exchange only with key encryption |
SCMDMServerAdmins security permission |
Enroll |
Authenticated users security permission |
Read |
Domain Administrator, enterprise administrator security permission |
Full control |
SCMDMMobileDevice (<Instance Name>) Template
Property | Value |
---|---|
Validity period |
One year |
Renewal period |
Six weeks |
Publish certificate to |
Active Directory |
Request minimum key size |
1024 for signature and encryption |
Configuration service provider |
Microsoft RSA SChannel Cryptographic Provider |
Subject name build from Active Directory |
Subject = common name, ASN = DNS name |
EKU and application policies |
Client authentication, 1.3.6.1.4.1.311.65.2.1 (specific to MDM device client authentication) |
Key usage |
Digital signature: Enable key exchange only with key encryption |
SCMDMEnrolledDevices security permission |
Enroll |
Authenticated users security permission |
Read |
Domain Administrator, enterprise administrator security permission: |
Full control |
Creating MDM Certificate Templates
The following procedures are necessary to create the certificates for MDM deployment. This information is specific to MDM certificate templates and Web services that require certificates. Once you complete this section, you must perform the procedures in the section Updating Certificate Template Object Identifiers (OIDs) in the Active Directory service connection points (SCPs) at the end of this topic.
Important
When you manually create MDM certificate templates, the MDM instance name must be appended to the template name. For example: SCMDMGCM (NWTRADERS) There must be a space in between the template name and the parenthesized instance name. Again there are three MDM templates that can be used in MDM 2008 SP1:
- SCMDMWebServer (<instance name>)
- SCMDMMobileDevice (<instance name>)
- SCMDMGCM (<instance name>)
Certificate Templates
You use the SCMDMWebServer (<instance name>) and SCMDMMobileDevice (<instance name>) templates to create certificates for MDM Web sites and devices, respectively, and the SCMDMGCM (<instance name>) template for the Gateway Central Management (GCM) service. These templates are created when you run AdConfig together with the /createtemplates parameter. During the installation process for each MDM server role, the certificates generate and install automatically. You can also create these certificates and templates manually as detailed in the following section. As soon as they are created, you must issue the MDM certificate templates.
Important
You must duplicate the MDM certificate templates from other preexisting templates in the Certification Authority console, as shown in the following:
To create a certificate template
On the certification authority server, in Administrative Tools, open the Certification Authority console.
On the Certification Authority page, in the navigation pane, right-click Certificate Templates, and then select Manage.
Create your certificate template by using the information in the section Certificate Templates in MDM (Overview) for SCMDMGCM (<instance name>), SCMDMWebServer (<instance name>), and SCMDMMobileDevice (<instance name>) certificate templates.
To issue a certificate template
On the certification authority server, in Administrative Tools, open the Certification Authority console.
Right-click Certificate Templates, choose New, and then choose Certificate Template to Issue.
Select the MDM certificate template and then choose OK.
Note
You must repeat these steps for each MDM certificate template: SCMDMGCM (<instance name>), SCMDMWebServer (<instance name>), and SCMDMMobileDevice (<instance name>).
Issuing Certificates by Using MDM Templates
During Setup, MDM Setup requests and installs certificates from a certification authority. You can also create these certificates manually. The following require that you install a certificate for MDM:
- Enrollment Server External Web Site Certificate
- Enrollment Server Administration Web Site Certificate
- Device Management Server Web Site Certificate
- Device Management Server Administration Web Site Certificate
- Device Management Gateway Central Management (GCM) Certificate
- Gateway Server Web Site Certificate
- Mobile Device Certificate
MDM Enrollment Server and MDM Device Management Server Only
The SCMDMWebServer <instance name> template will let an administrator create certificates for the following MDM IIS 6.0 Web sites:
MDM Device Management Server
Web site |
Virtual Directory in IIS |
Subject name |
Device Management Server Web site certificate |
MobileDeviceManager |
MDM Device Management Server or load balancer FQDN, for example, dm.contoso.com |
Device Management Server Administration Web site certificate |
MobileDeviceManagerAdmin |
MDM Device Management Server or load balancer FQDN, for example, dm.contoso.com |
MDM Enrollment Server
Web site |
Virtual Directory in IIS |
Subject name |
Enrollment Server External Web site certificate |
Enrollment |
External enrollment server or load balancer FQDN, for example, mobileenroll.contoso.com |
Enrollment Server Administration Web site certificate |
EnrollmentAdmin |
Internal enrollment server or load balancer FQDN, for example, es.contoso.com |
Create the IIS Certificate for an MDM Web Site
The procedures to create and install the certificates are the same for all Web sites except that each Web site will use a different common name and a different port configuration.
Important
During MDM Enrollment Server and MDM Device Management Server Setup, the administrator supplies the ports to use for the Enrollment Server Administration Web site and the Device Management Server Administration Web sites. The ports that are used will be required again for the following procedures. Follow these steps to install certificates for MDM Enrollment Server and MDM Device Management Server.
The following procedure provides one way to create a certificate for the MDM Web sites. This procedure does not require the SCMDMWebServer (<instance name>) template. MDM Setup requires the templates to create and bind the correct certificates to the Enrollment and Device Management Web sites. Setup does this automatically, without requiring administrator intervention. When you perform the steps manually, the standard Web Server template will be used. Alternatively, you can complete this process when you access the online certification authority by going to the Web site, https://[CAServerName]/certsrv, and then select the SCMDMWebServer (<instance name>) template.
To create and store an IIS certificate for an MDM Web site
On MDM Enrollment Server or MDM Device Management Server, on the Start menu, choose Administrative Tools, and then choose Internet Information Services (IIS) Manager.
On the IIS console, expand the server node, and then expand Web Sites. Right-click the virtual directory for the certificate that you want to install and then select Properties.
Important
Again, reference the previous table that lists the Web sites and virtual directories when you make this selection. The selection is Admin, Enrollment, EnrollmentAdminService, or DM.
The site Properties dialog box appears. Choose the Directory Security tab.
On the Directory Security tab, choose Server Certificate. The Welcome to the Web Server Certificate Wizard appears. Choose Next.
On the Server Certificate page, select Create a new certificate, and then choose Next.
Choose Send the request immediately to an online certification authority, and then choose Next.
On the Name and Security Settings page, type a name for the certificate, and then choose Next.
On the Organization Information page, type your company name and organization.
On the Your Site’s Common Name page, type the FQDN of the server or the load balancer.
Choose Next.
On the Geographical Information page, choose the Country/Region, the State/province, and the City/locality, and then choose Next.
On the SSL Port page, in the SSL port this web site should use section, type the SSL port to use for the virtual directory. It is important to choose a unique SSL port for each virtual directory if there is the possibility of interference with another Web service.
On the Choose a Certification Authority page, in the Certification authorities section, select the name of the certification authority to use, and then choose Next.
In the Certificate Request Submission dialog box, review the information, and then choose Next.
When the certificate process is complete, a notification message appears. Choose Finish.
Note
Managed devices and MDM Enrollment Server must share a common root certification authority; they cannot chain to different root certification authorities.
Create and Install Certificates from the SCMDMGCM Template
The MDM GCM service resides on MDM Device Management Server and helps make sure that the communication between MDM Device Management Server and MDM Gateway Server is more secure. The procedures to create this certificate differ because this certificate is for a service instead of a Web site. The SCMDMGCM (<instance name>) template provides this certificate to MDM Device Management Server.
Important
For best results, the same certification authority must issue both the MDM Gateway Server certificate and the MDM GCM certificate. Follow these steps to create the certificate:
To create and install the GCM certificate
On MDM Device Management Server, open Internet Explorer. In the Address bar, type https://[yourCAserver]/certsrv where yourCAserver is the name or IP address of the certification authority.
Select Request a Certificate, and then select Advanced Certificate Request.
Select Create and Submit a Request to this CA.
On the Advanced Certificate Request page, in the Certificate Template section, select SCMDMGCM (<Instance Name>) from the list.
Type the FQDN of the MDM Device Management Server for Name.
Select the Store certificate in the local computer certificate store check box.
Choose Submit.
If the Potential Scripting Violation page appears, choose Yes.
On the Certificate Issued page, select Install this certificate. If the Potential Scripting Violation page appears, choose Yes.
The Certificate Installed page appears. Confirm the installation and then close Internet Explorer.
Provide Network Service Permissions to the Certificate
The MDM GCM service on MDM Device Management Server must have network permissions on the certificate to use it for more secure communication with MDM Gateway Server. Follow these steps immediately after you complete the previous steps.
To provide network service permissions to the certificate
On MDM Device Management Server, open a Command Prompt window.
Move to the %SystemDrive%:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys directory.
Type dir /as /od, and then press ENTER. A list of private keys appears in ascending date order with the most recent key appearing last. Copy this string to Notepad for future reference. The format should resemble the following: 8aeda5eb81555f14f8f9960745b5a40d_38f7de48-5ee9-452d-8a5a-92789d7110b1.
Important
You only have to copy the machine key if the MDM GCM certificate was the last certificate created. Alternatively, to find the private key of a certificate, build the sample project at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=103625.
In the %SystemDrive%:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys directory, run the following command:
cacls “C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\<hash>” /E /G Network:R
Note
This sample assumes that [C:] is the system drive label for your computer. <hash> is the hash key from Step 3.
Close the Command Prompt window.
Updating Certificate Template Object Identifiers (OIDs) in the Active Directory Service Connection Points (SCPs)
This section shows you how to update the certificate template object identifiers in the Active Directory service connection points (SCPs). You must follow these steps if you are manually provisioning certificates; otherwise, MDM will not allow devices into the system. Furthermore, these procedures are required if you manually change certificate templates outside of running ADConfig, or if you need to add or remove templates to the list of templates.
Note
The following procedures must be completed after the MDM Enrollment Server, the MDM Device Management Server, and the MDM Administrator Tools have been deployed. These components must be installed before you use ADConfig to create the certificate templates, or if you manually create the certificate templates as detailed in this topic.
The following procedures instruct you on how to:
- Obtain a certificate template object identifier.
- Modify an MDM SCP object identifier list.
- Change an existing SCP object identifier value (Option 1)
- Remove an SCP object identifier value (Option 2)
- Add an object identifier value (Option 3)
- Propagate the object identifiers to the MDM Gateway Server.
The procedures marked as optional require you to choose the appropriate action to be performed. During this process, you will need a low-level Active Directory Editor, such as Active Directory Service Interfaces (ADSI). For more information about ADSI, see Adsiedit Overview on the Microsoft TechNet Web site:
https://go.microsoft.com/fwlink/?LinkId=105659
Caution If you modify Active Directory with a low-level editor such as ADSIEdit, you can cause problems, such as serious system errors, with your Active Directory structure or environment. We cannot guarantee that these errors can be resolved. Modify Active Directory at your own risk.
To obtain a certificate template object identifier
On the certification authority server, in Administrative Tools, open the Certification Authority console.
On the Certification Authority page, in the navigation pane, right-click Certificate Templates, and then select Manage.
Right click on the desired template and choose Properties.
Under the Extensions tab, select Certificate Template Information.
Copy the numeric object identifier from the description box. An object identifier includes a series of numbers such as the following: 1.3.6.1.4.1.311.21.8….
To modify an MDM SCP object identifier list
Open ADSIEdit.
Expand the domain in which you first ran ADConfig.
Expand CN=System.
Expand CN=SCMDM. MDM SCPs for all instances in that domain are listed.
Right-click the instance for which you want to modify the SCP information. For example, CN=Instance1.
Select Properties.
In the CN=<Instance Name> Properties dialog box, select Show only attributes that have values.
Locate and then select the keywords attribute.
Choose Edit to view the current values for the MDM Device Management Server SCP.
Option 1: To change an existing SCP object identifier value
In the Multi-valued String Editor dialog box, select the object identifier value that you want to modify, and then choose Remove.
Modify the entry but do not change the gcmoid=, webserveroid=, or **deviceoid=**keyword names. For example: deviceoid=<object identifier value>.
Choose Add. The modified entry appears in the Values list.
Choose OK twice to close the editor.
Continue with the steps under the procedure To propagate the certificate template object identifiers to the MDM Gateway Server below.
Option 2: To remove an SCP object identifier value
In the Multi-valued String Editor dialog box, select the object identifier value that you want to remove, and then choose Remove.
Choose OK twice to close the editor.
Continue with the steps under the procedure To propagate the certificate template object identifiers to the MDM Gateway Server below.
Option 3: To add an object identifier value
In the Multi-valued String Editor dialog box, type one of the following object identifier types:: gcmoid, deviceoid, or webserveroid.
Type an equals sign (=).
Type the entire template object identifier for the template object identifier that you want to access the MDM system.
Note
The final entry should look something like deviceoid=<object identifier value>.
Choose OK twice to close the editor.
Continue with the steps under the procedure To propagate the certificate template object identifiers to the MDM Gateway Server below.
To propagate the certificate template object identifiers to the MDM Gateway Server
For this procedure, make sure that at least one MDM Device Management Server is installed for this instance and is running when applying the global gateway configuration.
On a computer or server that has MDM Console, choose Start, choose All Programs, choose Microsoft System Center Mobile Device Manager, and then choose Mobile Device Manager Shell.
In MDM Shell, you must select the appropriate instance of MDM when prompted. Or set the instance explicitly using the following cmdlet:
Set-MDMCurrentInstance <InstanceName>
In MDM Shell, type the following cmdlet group and press Enter:
Get-MDMGlobalGatewayConfig | Set-MDMGlobalGatewayConfig