Deploying the Client Computer Certificates to Clients and the Management Point
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Client computers in a Configuration Manager 2007 native mode site require public key infrastructure (PKI) computer certificates to authenticate them to the management point. Without this authentication, Configuration Manager 2007 clients in a native mode site are unmanaged and will send a status message to their fallback status point. Additionally, the management point requires a client certificate so that it can be monitored and send its status to the site server. If you are using the operating system deployment feature, the state migration point also requires a client certificate for monitoring purposes.
|The management point and state migration point requires a client certificate even if these site systems do not have installed on them the Configuration Manager 2007 client.|
You can install the client computer certificates in a number of ways. Refer to your PKI documentation for more information. The recommended method if you are using a Microsoft PKI is to create the certificates using the version 1 (v1) computer template, or the version 2 (v2) client workstation template, and then automatically auto enroll the certificates to computers using Group Policy.
Other deployment methods include the following:
If you are using a Microsoft PKI with Web enrollment, you can request the certificate from each computer, using the Web enrollment pages.
If you are using a Microsoft PKI with an enterprise CA, you can use the Certificates Microsoft Management Console snap-in from each computer to import a certificate or request the certificate. Use the Request New Certificate task or Import task from the Personal certificate store on the local computer.
You can request and retrieve the certificate using the Microsoft Certreq command-line utility.
If you can create the certificate with your certificate management tools, you can export it and import it on each computer.
|If you are installing clients using the operating system deployment feature, a client certificate might be required to complete the deployment process. The certificate must be created and then exported to a .PFX file so that it can be imported in Configuration Manager 2007 when configuring the operating system deployment. For more information about this scenario, see How to Export Certificates For Use With Operating System Deployment.|
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.