Determine If You Need to Configure a Certificate Trust List (CTL) with IIS (Native Mode)
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
A certificate trust list (CTL) is a defined list of trusted root certification authorities. When used with Group Policy and a PKI deployment, a CTL allows you to supplement the existing trusted root certification authorities that are configured on your network, such as those automatically installed with Microsoft Windows or added through Windows enterprise root certification authorities. However, when a CTL is configured in Internet Information Services (IIS), a CTL defines a subset of those trusted root certification authorities.
This subset provides administrators with more control over security because the CTL restricts the client certificates that are accepted to only those that are issued from the list of certification authorities in the CTL. For example, Windows ships with a number of well-known third-party certification authority certificates, such as VeriSign and Thawte. By default, the computer running IIS trusts certificates that chain to these well-known certification authorities. Without configuring IIS with a CTL, any computer that has a client certificate issued from these certification authorities are accepted as a valid Configuration Manager client. If you configure IIS with a CTL that did not include these certification authorities, client connections are refused if the certificate chained to these certification authorities. However, for Configuration Manager clients to be accepted in the native mode site, you must configure IIS with a CTL that specifies the certification authorities used by Configuration Manager clients.
A CTL in IIS is defined as a Web site property, so you must configure the CTL for each site server in a Configuration Manager 2007 native mode site that is configured for Secure Sockets Layer (SSL) communication; it cannot be configured and maintained with Group Policy. The site system roles that use SSL communication are the following:
Default management point
Network load balanced management points
Proxy management point
Internet-based management point
- Default management point
Distribution points that are not branch distribution points or using site system shares
Software update points
State migration points
To use a CTL with Configuration Manager 2007 in native mode, edit the properties of the Web site (the Default Web site, or the custom web site named SMSWeb) after you have configured the Web site with its native mode certificate. Use the Certificate Trust List Wizard to create or edit the CTL, and then specify the root certification authorities used by clients in the native mode site. For more information about creating and editing CTLs in IIS 6.0, see the IIS 6.0 documentation on CTLs (http://go.microsoft.com/fwlink/?LinkId=80247).
It is recommended, but not required, that you use a CTL in IIS for Configuration Manager 2007 native mode because this provides a higher level of security than if you do not explicitly define which certification authorities are used by Configuration Manager clients.
Using a CTL with IIS and Configuration Manager 2007 native mode provides the following advantage:
This is a more secure solution because only the trusted root certification authorities specified in the CTL, rather than all trusted root certification authorities used on the network, will be trusted by Configuration Manager, including the certification authorities installed by default in Windows.
Using a CTL with IIS and Configuration Manager 2007 native mode has the following disadvantages:
This configuration has additional administrative overhead associated with creating and maintaining the CTL on IIS for each Configuration Manager site system server that communicates with Configuration Manager clients over SSL.
Failing to correctly configure and maintain the CTL can result in unmanaged clients.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.