Deploying a Trusted Root Certification Authority to Configuration Manager Computers
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
A root certification authority (CA) is the most trusted certification authority, which is at the top of a public key infrastructure (PKI) certification hierarchy. For native mode communication to be successful in a Configuration Manager 2007 site, the PKI certificates that are used for authentication, encryption, and signing must be issued by a root certification authority that is trusted by the other computers and devices in the site.
Each computer and device that communicates using certificates must have a root certificate in common. If all the computers in your Configuration Manager 2007 hierarchy use certificates from the same certification authority, you need to deploy only a single trusted root certification authority. However, there is no requirement to use the same certification authority, so you might have to install multiple root CAs.
Microsoft Windows computers and some devices are automatically configured with some well-known third-party root certificates. However, if you are using your own PKI, you need to install the root certificate. There are various ways to achieve this, including the following methods:
If you are using a Microsoft Enterprise root certification authority, the root certificate is automatically installed on computers in the forest, using Active Directory Domain Services.
If you are not using a Microsoft Enterprise root certification authority but want all computers in the forest to automatically trust the root certification authority, you can publish the root certificate in the Enterprise Trust Store, using Group Policy or the Certutil command.
If you not using a Microsoft Enterprise root certification authority and want only groups of computers in the forest to automatically trust the root certification authority, you can publish the root certificate to domains or organizational units (OUs) using Group Policy. Only computers that have the Group Policy applied will automatically trust the root certification authority. Add the root certificate to the Group Policy object Trusted Root Certification Authorities under the Public Key Policies folder for the Computer Configuration container.
If you are using Microsoft Certificate Services with Internet Information Services (IIS), you can request and install the root certificate with the Web enrollment service.
You can request and retrieve the certificate using the Microsoft Certreq command-line utility.
You can export the certificate to a file and import it if exporting the public key is enabled within the certificate.
If you are using the operating system deployment feature, root CAs must be specified in Configuration Manager 2007 as a site property. For more information, see How to Specify the Root Certification Authority Certificates for Operating System Deployment Clients.
ConceptsCertificate Requirements for Native Mode
Other ResourcesDeploying the PKI Certificates Required for Native Mode
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.