PKI Certificate Requirements for Configuration Manager

 

Updated: February 23, 2017

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

The public key infrastructure (PKI) certificates that you might require for System Center 2012 Configuration Manager are listed in the following tables. This information assumes basic knowledge of PKI certificates. For step-by-step guidance for an example deployment of these certificates, see Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority. For more information about Active Directory Certificate Services, see the following documentation:

Important

System Center 2012 Configuration Manager and System Center 2012 R2 Configuration Manager support SHA-2 certificates, and the use of SHA-2 certificates brings an important security advantage. Therefore, we recommend:

  • That you issue new server and client authentication certificates signed with SHA-2 (which includes SHA-256 and SHA-512, among others).

  • That any Internet-facing services use a SHA-2 certificate. For example, if you purchase a public certificate for use with a cloud management gateway, make sure that you purchase a SHA-2 certificate.

In most cases the change to SHA-2 certificates has no impact on operations. For more information, see Windows Enforcement of SHA1 certificates.

With the exception of the client certificates that Configuration Manager enrolls on mobile devices and Mac computers, the certificates that Microsoft Intune automatically creates for managing mobile devices, and the certificates that Configuration Manager installs on AMT-based computers, you can use any PKI to create, deploy, and manage the following certificates. However, when you use Active Directory Certificate Services and certificate templates, this Microsoft PKI solution can ease the management of the certificates. Use the Microsoft certificate template to use column in the following tables to identify the certificate template that most closely matches the certificate requirements. Template-based certificates can be issued only by an enterprise certification authority running on the Enterprise Edition or Datacenter Edition of the server operating system, such as Windows Server 2008 Enterprise and Windows Server 2008 Datacenter.

Important

When you use an enterprise certification authority and certificate templates, do not use the version 3 templates. These certificate templates create certificates that are incompatible with Configuration Manager. Instead, use version 2 templates by using the following instructions:

  • For a CA on Windows Server 2012: On the Compatibility tab of the certificate template properties, specify Windows Server 2003 for the Certification Authority option, and Windows XP / Server 2003 for the Certificate recipient option.

  • For a CA on Windows Server 2008: When you duplicate a certificate template, keep the default selection of Windows Server 2003 Enterprise when you are prompted by the Duplicate Template popup dialog box. Do not select Windows Server 2008, Enterprise Edition.

Use the following sections to view the certificate requirements.

PKI Certificates for Servers

Configuration Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

Site systems that run Internet Information Services (IIS) and that are configured for HTTPS client connections:

  • Management point

  • Distribution point

  • Software update point

  • State migration point

  • Enrollment point

  • Enrollment proxy point

  • Application Catalog web service point

  • Application Catalog website point

Server authentication

Web Server

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1).

If the site system accepts connections from the Internet, the Subject Name or Subject Alternative Name must contain the Internet fully qualified domain name (FQDN).

If the site system accepts connections from the intranet, the Subject Name or Subject Alternative Name must contain either the intranet FQDN (recommended) or the computer's name, depending on how the site system is configured.

If the site system accepts connections from both the Internet and the intranet, both the Internet FQDN and the intranet FQDN (or computer name) must be specified by using the ampersand (&) symbol delimiter between the two names.

Important

When the software update point accepts client connections from the Internet only, the certificate must contain both the Internet FQDN and the intranet FQDN.

The SHA-2 hash algorithm is supported.

Configuration Manager does not specify a maximum supported key length for this certificate. Consult your PKI and IIS documentation for any key-size–related issues for this certificate.

This certificate must reside in the Personal store in the Computer certificate store.

This web server certificate is used to authenticate these servers to the client and to encrypt all data transferred between the client and these servers by using Secure Sockets Layer (SSL).

Cloud-based distribution point

Server authentication

Web Server

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1).

The Subject Name must contain a customer-defined service name and domain name in an FQDN format as the Common Name for the specific instance of the cloud-based distribution point.

The private key must be exportable.

The SHA-2 hash algorithm is supported.

Supported key lengths: 2048 bits.

For System Center 2012 Configuration Manager SP1 and later:

This service certificate is used to authenticate the cloud-based distribution point service to Configuration Manager clients and to encrypt all data transferred between them by using Secure Sockets Layer (SSL).

This certificate must be exported in a Public Key Certificate Standard (PKCS #12) format, and the password must be known so that it can be imported when you create a cloud-based distribution point.

Note

This certificate is used in conjunction with the Windows Azure management certificate. For more information about this certificate, see How to Create a Management Certificate and How to Add a Management Certificate to a Windows Azure Subscription in the Windows Azure Platform section of the MSDN Library.

Network Load Balancing (NLB) cluster for a software update point

Server authentication

Web server

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1).

  1. The FQDN of the NLB cluster in the Subject Name field, or Subject Alternative Name field:

    • For network load balancing servers that support Internet-based client management, use the Internet NLB FQDN.

    • For network load balancing servers that support intranet clients, use the intranet NLB FQDN.

  2. The computer name of the site system in the NLB cluster in the Subject Name field or Subject Alternative Name field. This server name must be specified after the NLB cluster name and the ampersand (&) symbol delimiter:

    • For site systems on the intranet, use the intranet FQDN if you specify them (recommended) or the computer NetBIOS name.

    • For site systems supporting Internet-based client management, use the Internet FQDN.

The SHA-2 hash algorithm is supported.

For System Center 2012 Configuration Manager with no service pack:

This certificate is used to authenticate the network load balancing software update point to the client, and to encrypt all data transferred between the client and these servers by using SSL.

Note

This certificate is applicable to Configuration Manager with no service pack only because beginning with System Center 2012 Configuration Manager SP1, NLB software update points are not supported.

Site system servers that run Microsoft SQL Server

Server authentication

Web server

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1).

The Subject Name must contain the intranet fully qualified domain name (FQDN).

The SHA-2 hash algorithm is supported.

Maximum supported key length is 2048 bits.

This certificate must reside in the Personal store in the Computer certificate store and Configuration Manager automatically copies it to the Trusted People Store for servers in the Configuration Manager hierarchy that might have to establish trust with the server.

These certificates are used for server-to-server authentication.

SQL Server cluster: Site system servers that run Microsoft SQL Server

Server authentication

Web server

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1).

The Subject Name must contain the intranet fully qualified domain name (FQDN) of the cluster.

The private key must be exportable.

The certificate must have a validity period of at least two years when you configure Configuration Manager to use the SQL Server cluster.

The SHA-2 hash algorithm is supported.

Maximum supported key length is 2048 bits.

After you have requested and installed this certificate on one node in the cluster, export the certificate and import it to each additional node in the SQL Server cluster.

This certificate must reside in the Personal store in the Computer certificate store and Configuration Manager automatically copies it to the Trusted People Store for servers in the Configuration Manager hierarchy that might have to establish trust with the server.

These certificates are used for server-to-server authentication.

Site system monitoring for the following site system roles:

  • Management point

  • State migration point

Client authentication

Workstation Authentication

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

Computers must have a unique value in the Subject Name field or in the Subject Alternative Name field.

Note

If you are using multiple values for the Subject Alternative Name, only the first value is used.

The SHA-2 hash algorithm is supported.

Maximum supported key length is 2048 bits.

This certificate is required on the listed site system servers, even if the System Center 2012 Configuration Manager client is not installed, so that the health of these site system roles can be monitored and reported to the site.

The certificate for these site systems must reside in the Personal store of the Computer certificate store.

Servers running the Configuration Manager Policy Module with the Network Device Enrollment Service role service.

Client authentication

Workstation Authentication

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

There are no specific requirements for the certificate Subject or Subject Alternative Name (SAN), and you can use the same certificate for multiple servers running the Network Device Enrollment Service.

The SHA-2 and SHA-3 hash algorithms are supported.

Supported key lengths: 1024 bits and 2048 bits.

The information in this topic applies only to System Center 2012 R2 Configuration Manager versions only.

This certificate authenticates the Configuration Manager Policy Module to the certificate registration point site system server so that Configuration Manager can enroll certificates for users and devices.

Site systems that have a distribution point installed

Client authentication

Workstation Authentication

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

There are no specific requirements for the certificate Subject or Subject Alternative Name (SAN), and you can use the same certificate for multiple distribution points. However, we recommend a different certificate for each distribution point.

The private key must be exportable.

The SHA-2 hash algorithm is supported.

Maximum supported key length is 2048 bits.

This certificate has two purposes:

  • It authenticates the distribution point to an HTTPS-enabled management point before the distribution point sends status messages.

  • When the Enable PXE support for clients distribution point option is selected, the certificate is sent to computers that so that if task sequences in the operating system deployment process include client actions such as client policy retrieval or sending inventory information, the client computers can connect to a HTTPS-enabled management point during the deployment of the operating system.

    This certificate is used for the duration of the operating system deployment process only and is not installed on the client. Because of this temporary use, the same certificate can be used for every operating system deployment if you do not want to use multiple client certificates.

This certificate must be exported in a Public Key Certificate Standard (PKCS #12) format, and the password must be known so that it can be imported into the distribution point properties.

Note

The requirements for this certificate are the same as the client certificate for boot images for deploying operating systems. Because the requirements are the same, you can use the same certificate file.

Out of band service point

AMT Provisioning

Web Server (modified)

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1) and the following object identifier: 2.16.840.1.113741.1.2.3.

The subject name field must contain the FQDN of the server that is hosting the out of band service point.

Note

If you request an AMT provisioning certificate from an external CA instead of from your own internal CA, and it does not support the AMT provisioning object identifier of 2.16.840.1.113741.1.2.3, you can alternatively specify the following text string as an organizational unit (OU) attribute in the certificate subject name: Intel(R) Client Setup Certificate. This exact text string in English must be used, in the same case, without a trailing period, and in addition to the FQDN of the server that is hosting the out of band service point.

SHA-1 is the only supported hash algorithm.

Supported key lengths: 1024 and 2048. For AMT 6.0 and later versions, the key length of 4096 bits is also supported.

This certificate resides in the Personal store in the Computer certificate store of the out of band service point site system server.

This AMT provisioning certificate is used to prepare computers for out of band management.

You must request this certificate from a CA that supplies AMT provisioning certificates, and the BIOS extension for the Intel AMT-based computers must be configured to use the root certificate thumbprint (also referred to as the certificate hash) for this provisioning certificate.

VeriSign is a typical example of an external CA that provides AMT provisioning certificates, but you can also use your own internal CA.

Install the certificate on the server that hosts the out of band service point, which must be able to chain successfully to the certificate's root CA. (By default, the root CA certificate and intermediate CA certificate for VeriSign are installed when Windows installs.)

Site system server that runs the Microsoft Intune connector

Client authentication

Not applicable: Intune automatically creates this certificate.

Enhanced Key Usage value contains Client Authentication (1.3.6.1.5.5.7.3.2).

3 custom extensions uniquely identify the customers Intune subscription.

The key size is 2048 bits and uses the SHA-1 hash algorithm.

Note

You cannot change these settings: This information is provided for informational purposes only.

This certificate is automatically requested and installed to the Configuration Manager database when you subscribe to Microsoft Intune. When you install the Microsoft Intune connector, this certificate is then installed on the site system server that runs the Microsoft Intune connector. It is installed into the Computer certificate store.

This certificate is used to authenticate the Configuration Manager hierarchy to Microsoft Intune by using the Microsoft Intune connector. All data that is transferred between them uses Secure Sockets Layer (SSL).

Proxy Web Servers for Internet-Based Client Management

If the site supports Internet-based client management, and you are using a proxy web server by using SSL termination (bridging) for incoming Internet connections, the proxy web server has the certificate requirements listed in the following table.

Note

If you are using a proxy web server without SSL termination (tunneling), no additional certificates are required on the proxy web server.

Network infrastructure component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager 

Proxy web server accepting client connections over the Internet

Server authentication and client authentication

  1. Web Server

  2. Workstation Authentication

Internet FQDN in the Subject Name field or in the Subject Alternative Name field (if you are using Microsoft certificate templates, the Subject Alternative Name is available with the workstation template only).

The SHA-2 hash algorithm is supported.

This certificate is used to authenticate the following servers to Internet clients and to encrypt all data transferred between the client and this server by using SSL:

  • Internet-based management point

  • Internet-based distribution point

  • Internet-based software update point

The client authentication is used to bridge client connections between the System Center 2012 Configuration Manager clients and the Internet-based site systems.

PKI Certificates for Clients

Configuration Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager 

Windows client computers

Client authentication

Workstation Authentication

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

Client computers must have a unique value in the Subject Name field or in the Subject Alternative Name field.

Note

If you are using multiple values for the Subject Alternative Name, only the first value is used.

The SHA-2 hash algorithm is supported.

Maximum supported key length is 2048 bits.

By default, Configuration Manager looks for computer certificates in the Personal store in the Computer certificate store.

With the exception of the software update point and the Application Catalog website point, this certificate authenticates the client to site system servers that run IIS and that are configured to use HTTPS.

Mobile device clients

Client authentication

Authenticated Session

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

SHA-1 is the only supported hash algorithm.

Maximum supported key length is 2048 bits.

Important

These certificates must be in Distinguished Encoding Rules (DER) encoded binary X.509 format.

Base64 encoded X.509 format is not supported.

This certificate authenticates the mobile device client to the site system servers that it communicates with, such as management points and distribution points.

Boot images for deploying operating systems

Client authentication

Workstation Authentication

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

There are no specific requirements for the certificate Subject Name field or Subject Alternative Name (SAN), and you can use the same certificate for all boot mages.

The private key must be exportable.

The SHA-2 hash algorithm is supported.

Maximum supported key length is 2048 bits.

The certificate is used if task sequences in the operating system deployment process include client actions such as client policy retrieval or sending inventory information.

This certificate is used for the duration of the operating system deployment process only and is not installed on the client. Because of this temporary use, the same certificate can be used for every operating system deployment if you do not want to use multiple client certificates.

This certificate is temporary for the task sequence and not used to install the client. When you have an environment with HTTPS only, the client must have a valid certificate for the client to communicate with the site and for the deployment to continue. The client certificate can be generated automatically by the client when it is joined to Active Directory, or you can install a client certificate by using another method.

This certificate must be exported in a Public Key Certificate Standard (PKCS #12) format, and the password must be known so that it can be imported into the Configuration Manager boot images.

Note

The requirements for this certificate are the same as the server certificate for site systems that have a distribution point installed. Because the requirements are the same, you can use the same certificate file.

Mac client computers

Client authentication

For Configuration Manager enrollment:Authenticated Session

For certificate installation independent from Configuration Manager: Workstation Authentication

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

For Configuration Manager that creates a User certificate, the certificate Subject value is automatically populated with the user name of the person who enrolls the Mac computer.

For certificate installation that does not use Configuration Manager enrollment but deploys a Computer certificate independently from Configuration Manager, the certificate Subject value must be unique. For example, specify the FQDN of the computer.

The Subject Alternative Name field is not supported.

The SHA-2 hash algorithm is supported.

Maximum supported key length is 2048 bits.

For System Center 2012 Configuration Manager SP1 and later:

This certificate authenticates the Mac client computer to the site system servers that it communicates with, such as management points and distribution points.

Linux and UNIX client computers

Client authentication

Workstation Authentication

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

The Subject Alternative Name field is not supported.

The private key must be exportable.

SHA-1 hash algorithm is supported.

SHA-2 hash algorithm is supported if the operating system of the client supports SHA-2. For more information, see the About Linux and UNIX Operating Systems That do not Support SHA-256 section in the Planning for Client Deployment for Linux and UNIX Servers topic.

Supported key lengths: 2048 bits.

Important

These certificates must be in Distinguished Encoding Rules (DER) encoded binary X.509 format. Base64 encoded X.509 format is not supported.

For System Center 2012 Configuration Manager SP1 and later:

This certificate authenticates the client for Linux and UNIX to the site system servers that it communicates with, such as management points and distribution points.

This certificate must be exported in a Public Key Certificate Standard (PKCS#12) format, and the password must be known so you can specify it to the client when you specify the PKI certificate.

For additional information, see the Planning for Security and Certificates for Linux and UNIX Servers section in Planning for Client Deployment for Linux and UNIX Servers topic.

Root certification authority (CA) certificates for the following scenarios:

  • Operating system deployment

  • Mobile device enrollment

  • RADIUS server authentication for Intel AMT-based computers

  • Client certificate authentication

Certificate chain to a trusted source

Not applicable.

Standard root CA certificate.

The root CA certificate must be provided when clients have to chain the certificates of the communicating server to a trusted source. This applies in the following scenarios:

  • When you deploy an operating system, and task sequences run that connect the client computer to a management point that is configured to use HTTPS.

  • When you enroll a mobile device to be managed by System Center 2012 Configuration Manager.

  • When you use 802.1X authentication for AMT-based computers, and you want to specify a file for the RADIUS server’s root certificate.

In addition, the root CA certificate for clients must be provided if the client certificates are issued by a different CA hierarchy than the CA hierarchy that issued the management point certificate.

Intel AMT-based computers

Server authentication.

Web Server (modified)

You must configure the Subject Name for Build from this Active Directory information, and then select Common name for the Subject name format.

You must grant Read and Enroll permissions to the universal security group that you specify in the out of band management component properties.

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1).

The Subject Name must contain the FQDN of the AMT-based computer, which is supplied automatically from Active Directory Domain Services.

SHA-1 is the only supported hash algorithm.

Maximum supported key length: 2048 bits.

This certificate resides in the nonvolatile random access memory of the management controller in the computer and is not viewable in the Windows user interface.

Each Intel AMT-based computer requests this certificate during AMT provisioning and for subsequent updates. If you remove AMT provisioning information from these computers, they revoke this certificate.

When this certificate is installed on Intel AMT-based computers, the certificate chain to the root CA is also installed. AMT-based computers cannot support CA certificates with a key length larger than 2048 bits.

After the certificate is installed on Intel AMT-based computers, this certificate authenticates the AMT-based computers to the out of band service point site system server and to computers that are run the out of band management console, and encrypts all data transferred between them by using Transport Layer Security (TLS).

Intel AMT 802.1X client certificate

Client authentication

Workstation Authentication

You must configure the Subject Name for Build from this Active Directory information, and then select Common name for the Subject name format, clear the DNS name and select the User principal name (UPN) for the alternative subject name.

You must grant the universal security group that you specify in the out of band management component properties Read and Enroll permissions to this certificate template.

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

The subject name field must contain the FQDN of the AMT-based computer and the subject alternative name must contain the UPN.

Maximum supported key length: 2048 bits.

This certificate resides in the nonvolatile random access memory of the management controller in the computer and is not viewable in the Windows user interface.

Each Intel AMT-based computer can request this certificate during AMT provisioning but they do not revoke this certificate when their AMT provisioning information is removed.

After the certificate is installed on AMT-based computers, this certificate authenticates the AMT-based computers to the RADIUS server so that it can then be authorized for network access.

Mobile devices that are enrolled by Microsoft Intune

Client authentication

Not applicable: Intune automatically creates this certificate.

Enhanced Key Usage value contains Client Authentication (1.3.6.1.5.5.7.3.2).

3 custom extensions uniquely identify the customer Intune subscription.

Users can supply the certificate Subject value during enrollment. However, this value is not used by Intune to identify the device.

The key size is 2048 bits and uses the SHA-1 hash algorithm.

Note

You cannot change these settings: This information is provided for informational purposes only.

This certificate is automatically requested and installed when authenticated users enroll their mobiles devices by using Microsoft Intune. The resulting certificate on the device resides in the Computer store and authenticates the enrolled mobile device to Intune, so that it can then be managed.

Because of the custom extensions in the certificate, authentication is restricted to the Intune subscription that has been established for the organization.