Creating Manual Certificates
10/3/2008
Use the following information to help you create System Center Mobile Device Manager (MDM) certificates manually. This includes the following topics:
- Certificate Templates in MDM (Overview)
- Creating MDM Certificate Templates
- Creating Certificates from the MDM Templates
For best results, all certificates should chain to the same company certification authority root.
Certificate Templates in MDM (Overview)
During MDM installation, Setup creates certificate templates automatically by using the /createtemplates parameter in the ADConfig tool, ADConfig.exe. However, if you install certificates manually, you must create the certificate templates.
Important
If your organization chooses to install MDM certificates manually, you should not perform Active Directory certificate configuration by using the /createtemplates and /enabletemplates parameters in ADConfig.exe. If you install certificates manually, you must follow the steps in Step 1c: Granting Certification Authority Permission to Revoke a Device Enrollment (Optional). We strongly recommend that you perform the automated certificate process and not the manual process.
The following shows the MDM Web sites that require secure communication. You must create your own certificate templates. The following tables show examples of the certificate templates, and certificates, that MDM creates.
MDM Device Management Server
MDM Web site/service | MDM certificate template |
---|---|
Administration Web site |
SCMDM2008WebServer |
Device Management Web site |
SCMDM2008WebServer |
GCM Service |
SCMDM2008GCM |
MDM Enrollment Server
MDM Web site | MDM certificate template |
---|---|
Enrollment Web site |
SCMDM2008WebServer |
Administration Web site
|
SCMDM2008WebServer |
MDM Gateway Server
MDM Web site | MDM certificate template |
---|---|
Gateway Web site |
SCMDM2008WebServer |
Windows Mobile Powered Device
MDM devices | MDM certificate template |
---|---|
Device authentication |
SCMDM2008MobileDevice |
The following provides general information about MDM certificate templates.
SCMDM2008GCM Template
Property | Value |
---|---|
Validity period |
Two years |
Renewal period |
Six weeks |
Request minimum key size |
1024 for signature and encryption |
CSP |
Microsoft DSS and Diffie-Hellman (D-H) SChannel Cryptographic Provider and Microsoft RSA SChannel Cryptographic Provider |
Subject Name |
To be supplied by the administrator |
Extended key usage (EKU) and application policies |
Client authentication, 1.3.6.1.4.1.311.65.1.1 (specific to MDM MDM GCM client authentication) |
Key usage |
Digital signature: Enable key exchange only with key encryption |
SCMDM2008DeviceManagementServers and SCMDM2008ServerAdministrators security permission |
Enroll |
Authenticated users security permission |
Read |
Domain Administrator, enterprise administrator security permission |
Full control |
SCMDM2008WebServer Template
Property | Value |
---|---|
Validity period |
Two years |
Renewal period |
Six weeks |
Request minimum key size |
1024 for signature and encryption |
CSP |
Microsoft D-H SChannel Cryptographic Provider and Microsoft RSA SChannel Cryptographic Provider |
Subject name |
Supplies in the request |
EKU and application policies |
Server authentication |
Key usage |
Digital signature: Enable key exchange only with key encryption |
SCMDM2008ServerAdministrators security permission |
Enroll |
Authenticated users security permission |
Read |
Domain Administrator, enterprise administrator security permission |
Full control |
SCMDM2008MobileDevice Template
Property | Value |
---|---|
Validity period |
One year |
Renewal period |
Six weeks |
Publish certificate to |
Active Directory |
Request minimum key size |
1024 for signature and encryption |
CSP |
Microsoft RSA SChannel Cryptographic Provider |
Subject name build from Active Directory |
Subject = common name, ASN = DNS name |
EKU and application policies |
Client authentication, 1.3.6.1.4.1.311.65.2.1 (specific to MDM device client authentication) |
Key usage |
Digital signature: Enable key exchange only with key encryption |
SCMDM2008EnrolledDevice security permission |
Enroll |
Authenticated users security permission |
Read |
Domain Administrator, enterprise administrator security permission: |
Full control |
Creating MDM Certificate Templates
The following procedures are necessary to create the certificates for MDM deployment. This information is specific to MDM certificate templates and Web services that require certificates.
Certificate Templates
You use the SCMDM2008WebServer and SCMDM2008MobileDevice templates to create certificates for MDM Web sites and devices, respectively, and the SCMDM2008GCM template for the Gateway Central Management (GCM) service. These templates are created when you run AdConfig.exe together with the /createtemplates parameter. During the installation process for each MDM server role, the certificates generate and install automatically. You can also create these certificates and templates manually as detailed in the following section. As soon as they are created, you must issue the MDM certificate templates.
Important
You must duplicate the MDM certificate templates from other preexisting templates in the Certification Authority console, as shown in the following:
To create a certificate template
On the certification authority server, in Administrative Tools, open the Certification Authority console.
On the Certification Authority page, in the navigation pane, right-click Certificate Templates, and then select Manage.
Create your certificate template by using the information in the section Certificate Templates in MDM (Overview) for SCMDM2008GCM, SCMDM2008WebServer, and SCMDM2008MobileDevice certificate templates.
To issue a certificate template
On the certification authority server, in Administrative Tools, open the Certification Authority console.
Right-click Certificate Templates, choose New, and then choose Certificate Template to Issue.
Select the MDM certificate template and then choose OK.
Note
You must repeat these steps for each MDM certificate template: SCMDM2008GCM, SCMDM2008WebServer, and SCMDM2008MobileDevice.
Issuing Certificates by Using MDM Templates
During Setup, MDM Setup requests and installs certificates from a certification authority. You can also create these certificates manually. The following require that you install a certificate for MDM:
- Enrollment Server External Web Site Certificate
- Enrollment Server Administration Web Site Certificate
- Device Management Server Web Site Certificate
- Device Management Server Administration Web Site Certificate
- Device Management Gateway Central Management (GCM) Certificate
- Gateway Server Web Site Certificate
- Mobile Device Certificate
MDM Enrollment Server and MDM Device Management Server Only
The SCMDM2008WebServer template will let an administrator create certificates for the following MDM IIS 6.0 Web sites:
MDM Device Management Server
Web site |
Virtual Directory in IIS |
Subject name |
Device Management Server Web site certificate |
MobileDeviceManager |
MDM Device Management Server or load balancer FQDN, for example, dm.contoso.com |
Device Management Server Administration Web site certificate |
MobileDeviceManagerAdmin |
MDM Device Management Server or load balancer FQDN, for example, dm.contoso.com |
MDM Enrollment Server
Web site |
Virtual Directory in IIS |
Subject name |
Enrollment Server External Web site certificate |
Enrollment |
External enrollment server or load balancer FQDN, for example, mobileenroll.contoso.com |
Enrollment Server Administration Web site certificate |
EnrollmentAdmin |
Internal enrollment server or load balancer FQDN, for example, es.contoso.com |
Create the IIS Certificate for an MDM Web Site
The procedures to create and install the certificates are the same for all Web sites except that each Web site will use a different common name and a different port configuration.
Important
During MDM Enrollment Server and MDM Device Management Server Setup, the administrator supplies the ports to use for the Enrollment Server Administration Web site and the Device Management Server Administration Web sites. The ports that are used will be required again for the following procedures. Follow these steps to install certificates for MDM Enrollment Server and MDM Device Management Server.
The following procedure provides one way to create a certificate for the MDM Web sites. This procedure does not require the SCMDM2008WebServer template. MDM Setup requires the templates to create and bind the correct certificates to the Enrollment and Device Management Web sites. Setup does this automatically, without requiring administrator intervention. When you perform the steps manually, the standard Web Server template will be used. Alternatively, you can complete this process when you access the online certification authority by going to the Web site, https://[CAServerName]/certsrv, and then select the SCMDM2008WebServer template.
To create and store an IIS certificate for an MDM Web site
On MDM Enrollment Server or MDM Device Management Server, on the Start menu, choose Administrative Tools, and then choose Internet Information Services (IIS) Manager.
On the IIS console, expand the server node, and then expand Web Sites. Right-click the virtual directory for the certificate that you want to install and then select Properties.
Important
Again, reference the previous table that lists the Web sites and virtual directories when you make this selection. The selection is Admin, Enrollment, EnrollmentAdminService, or DM.
The site Properties dialog box appears. Choose the Directory Security tab.
On the Directory Security tab, choose Server Certificate. The Welcome to the Web Server Certificate Wizard appears. Choose Next.
On the Server Certificate page, select Create a new certificate, and then choose Next.
Choose Send the request immediately to an online certification authority, and then choose Next.
On the Name and Security Settings page, type a name for the certificate, and then choose Next.
On the Organization Information page, type your company name and organization.
On the Your Site’s Common Name page, type the FQDN of the server or the load balancer.
Choose Next.
On the Geographical Information page, choose the Country/Region, the State/province, and the City/locality, and then choose Next.
On the SSL Port page, in the SSL port this web site should use section, type the SSL port to use for the virtual directory. It is important to choose a unique SSL port for each virtual directory if there is the possibility of interference with another Web service.
On the Choose a Certification Authority page, in the Certification authorities section, select the name of the certification authority to use, and then choose Next.
In the Certificate Request Submission dialog box, review the information, and then choose Next.
When the certificate process is complete, a notification message appears. Choose Finish.
Create and Install Certificates from the SCMDM2008GCM Template
The MDM GCM service resides on MDM Device Management Server and helps make sure that the communication between MDM Device Management Server and MDM Gateway Server is more secure. The procedures to create this certificate differ because this certificate is for a service instead of a Web site. The SCMDM2008GCM template provides this certificate to MDM Device Management Server.
Important
For best results, the same certification authority must issue both the MDM Gateway Server certificate and the MDM GCM certificate. Follow these steps to create the certificate:
To create and install the GCM certificate
On MDM Device Management Server, open Internet Explorer. In the Address bar, type https://[yourCA]/certsrv where yourCA is the name or IP address of the certification authority.
Select Request a Certificate, and then select Advanced Certificate Request.
Select Create and Submit a Request to this CA.
On the Advanced Certificate Request page, in the Certificate Template section, select SCMDM2008GCM from the list.
Type the FQDN of the MDM Device Management Server for Name.
Select the Store certificate in the local computer certificate store check box.
Choose Submit.
If the Potential Scripting Violation page appears, choose Yes.
On the Certificate Issued page, select Install this certificate. If the Potential Scripting Violation page appears, choose Yes.
The Certificate Installed page appears. Confirm the installation and then close Internet Explorer.
Provide Network Service Permissions to the Certificate
The MDM GCM service on MDM Device Management Server must have network permissions on the certificate to use it for more secure communication with MDM Gateway Server. Follow these steps immediately after you complete the previous steps.
To provide network service permissions to the certificate
On MDM Device Management Server, open a Command Prompt window.
Move to the %SystemDrive%:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys directory.
Type dir /as /od, and then press ENTER. A list of private keys appears in ascending date order with the most recent key appearing last. Copy this string to Notepad for future reference. The format should resemble the following: 9aeda5eb71565f14f9f9560765b3a40d_39f7de58-5ee9-432d-8a6a-92783d7140b1.
Important
You only have to copy the machine key if the MDM GCM certificate was the last certificate created. Alternatively, to find the private key of a certificate, build the sample project at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=103625.
In the %SystemDrive%:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys directory, run the following command:
cacls “C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\<hash>” /E /G Network:R
Note
This sample assumes that [C:] is the system drive label for your computer. <hash> is the hash key from Step 3.
Close the Command Prompt window.