Creating Manual Certificates

  • Article

10/3/2008

Use the following information to help you create System Center Mobile Device Manager (MDM) certificates manually. This includes the following topics:

  • Certificate Templates in MDM (Overview)
  • Creating MDM Certificate Templates
  • Creating Certificates from the MDM Templates

For best results, all certificates should chain to the same company certification authority root.

Certificate Templates in MDM (Overview)

During MDM installation, Setup creates certificate templates automatically by using the /createtemplates parameter in the ADConfig tool, ADConfig.exe. However, if you install certificates manually, you must create the certificate templates.

Important

If your organization chooses to install MDM certificates manually, you should not perform Active Directory certificate configuration by using the /createtemplates and /enabletemplates parameters in ADConfig.exe. If you install certificates manually, you must follow the steps in Step 1c: Granting Certification Authority Permission to Revoke a Device Enrollment (Optional). We strongly recommend that you perform the automated certificate process and not the manual process.

The following shows the MDM Web sites that require secure communication. You must create your own certificate templates. The following tables show examples of the certificate templates, and certificates, that MDM creates.

MDM Device Management Server

MDM Web site/service MDM certificate template

Administration Web site

SCMDM2008WebServer

Device Management Web site

SCMDM2008WebServer

GCM Service

SCMDM2008GCM

MDM Enrollment Server

MDM Web site MDM certificate template

Enrollment Web site

SCMDM2008WebServer

Administration Web site

 

SCMDM2008WebServer

MDM Gateway Server

MDM Web site MDM certificate template

Gateway Web site

SCMDM2008WebServer

Windows Mobile Powered Device

MDM devices MDM certificate template

Device authentication

SCMDM2008MobileDevice

The following provides general information about MDM certificate templates.

SCMDM2008GCM Template

Property Value

Validity period

Two years

Renewal period

Six weeks

Request minimum key size

1024 for signature and encryption

CSP

Microsoft DSS and Diffie-Hellman (D-H) SChannel Cryptographic Provider and Microsoft RSA SChannel Cryptographic Provider

Subject Name

To be supplied by the administrator

Extended key usage (EKU) and application policies

Client authentication, 1.3.6.1.4.1.311.65.1.1 (specific to MDM MDM GCM client authentication)

Key usage

Digital signature: Enable key exchange only with key encryption

SCMDM2008DeviceManagementServers and SCMDM2008ServerAdministrators security permission

Enroll

Authenticated users security permission

Read

Domain Administrator, enterprise administrator security permission

Full control

SCMDM2008WebServer Template

Property Value

Validity period

Two years

Renewal period

Six weeks

Request minimum key size

1024 for signature and encryption

CSP

Microsoft D-H SChannel Cryptographic Provider and Microsoft RSA SChannel Cryptographic Provider

Subject name

Supplies in the request

EKU and application policies

Server authentication

Key usage

Digital signature: Enable key exchange only with key encryption

SCMDM2008ServerAdministrators security permission

Enroll

Authenticated users security permission

Read

Domain Administrator, enterprise administrator security permission

Full control

SCMDM2008MobileDevice Template

Property Value

Validity period

One year

Renewal period

Six weeks

Publish certificate to

Active Directory

Request minimum key size

1024 for signature and encryption

CSP

Microsoft RSA SChannel Cryptographic Provider

Subject name build from Active Directory

Subject = common name, ASN = DNS name

EKU and application policies

Client authentication, 1.3.6.1.4.1.311.65.2.1 (specific to MDM device client authentication)

Key usage

Digital signature: Enable key exchange only with key encryption

SCMDM2008EnrolledDevice security permission

Enroll

Authenticated users security permission

Read

Domain Administrator, enterprise administrator security permission:

Full control

Creating MDM Certificate Templates

The following procedures are necessary to create the certificates for MDM deployment. This information is specific to MDM certificate templates and Web services that require certificates.

Certificate Templates

You use the SCMDM2008WebServer and SCMDM2008MobileDevice templates to create certificates for MDM Web sites and devices, respectively, and the SCMDM2008GCM template for the Gateway Central Management (GCM) service. These templates are created when you run AdConfig.exe together with the /createtemplates parameter. During the installation process for each MDM server role, the certificates generate and install automatically. You can also create these certificates and templates manually as detailed in the following section. As soon as they are created, you must issue the MDM certificate templates.

Important

You must duplicate the MDM certificate templates from other preexisting templates in the Certification Authority console, as shown in the following:

To create a certificate template

  1. On the certification authority server, in Administrative Tools, open the Certification Authority console.

  2. On the Certification Authority page, in the navigation pane, right-click Certificate Templates, and then select Manage.

  3. Create your certificate template by using the information in the section Certificate Templates in MDM (Overview) for SCMDM2008GCM, SCMDM2008WebServer, and SCMDM2008MobileDevice certificate templates.

To issue a certificate template

  1. On the certification authority server, in Administrative Tools, open the Certification Authority console.

  2. Right-click Certificate Templates, choose New, and then choose Certificate Template to Issue.

  3. Select the MDM certificate template and then choose OK.

    Note

    You must repeat these steps for each MDM certificate template: SCMDM2008GCM, SCMDM2008WebServer, and SCMDM2008MobileDevice.

Issuing Certificates by Using MDM Templates

During Setup, MDM Setup requests and installs certificates from a certification authority. You can also create these certificates manually. The following require that you install a certificate for MDM:

  • Enrollment Server External Web Site Certificate
  • Enrollment Server Administration Web Site Certificate
  • Device Management Server Web Site Certificate
  • Device Management Server Administration Web Site Certificate
  • Device Management Gateway Central Management (GCM) Certificate
  • Gateway Server Web Site Certificate
  • Mobile Device Certificate

MDM Enrollment Server and MDM Device Management Server Only

The SCMDM2008WebServer template will let an administrator create certificates for the following MDM IIS 6.0 Web sites:

MDM Device Management Server

Web site

Virtual Directory in IIS

Subject name

Device Management Server Web site certificate

MobileDeviceManager

MDM Device Management Server or load balancer FQDN, for example, dm.contoso.com

Device Management Server Administration Web site certificate

MobileDeviceManagerAdmin

MDM Device Management Server or load balancer FQDN, for example, dm.contoso.com

MDM Enrollment Server

Web site

Virtual Directory in IIS

Subject name

Enrollment Server External Web site certificate

Enrollment

External enrollment server or load balancer FQDN, for example, mobileenroll.contoso.com

Enrollment Server Administration Web site certificate

EnrollmentAdmin

Internal enrollment server or load balancer FQDN, for example, es.contoso.com

Create the IIS Certificate for an MDM Web Site

The procedures to create and install the certificates are the same for all Web sites except that each Web site will use a different common name and a different port configuration.

Important

During MDM Enrollment Server and MDM Device Management Server Setup, the administrator supplies the ports to use for the Enrollment Server Administration Web site and the Device Management Server Administration Web sites. The ports that are used will be required again for the following procedures. Follow these steps to install certificates for MDM Enrollment Server and MDM Device Management Server.

The following procedure provides one way to create a certificate for the MDM Web sites. This procedure does not require the SCMDM2008WebServer template. MDM Setup requires the templates to create and bind the correct certificates to the Enrollment and Device Management Web sites. Setup does this automatically, without requiring administrator intervention. When you perform the steps manually, the standard Web Server template will be used. Alternatively, you can complete this process when you access the online certification authority by going to the Web site, https://[CAServerName]/certsrv, and then select the SCMDM2008WebServer template.

To create and store an IIS certificate for an MDM Web site

  1. On MDM Enrollment Server or MDM Device Management Server, on the Start menu, choose Administrative Tools, and then choose Internet Information Services (IIS) Manager.

  2. On the IIS console, expand the server node, and then expand Web Sites. Right-click the virtual directory for the certificate that you want to install and then select Properties.

    Important

    Again, reference the previous table that lists the Web sites and virtual directories when you make this selection. The selection is Admin, Enrollment, EnrollmentAdminService, or DM.

  3. The site Properties dialog box appears. Choose the Directory Security tab.

  4. On the Directory Security tab, choose Server Certificate. The Welcome to the Web Server Certificate Wizard appears. Choose Next.

  5. On the Server Certificate page, select Create a new certificate, and then choose Next.

  6. Choose Send the request immediately to an online certification authority, and then choose Next.

  7. On the Name and Security Settings page, type a name for the certificate, and then choose Next.

  8. On the Organization Information page, type your company name and organization.

  9. On the Your Site’s Common Name page, type the FQDN of the server or the load balancer.

  10. Choose Next.

  11. On the Geographical Information page, choose the Country/Region, the State/province, and the City/locality, and then choose Next.

  12. On the SSL Port page, in the SSL port this web site should use section, type the SSL port to use for the virtual directory. It is important to choose a unique SSL port for each virtual directory if there is the possibility of interference with another Web service.

  13. On the Choose a Certification Authority page, in the Certification authorities section, select the name of the certification authority to use, and then choose Next.

  14. In the Certificate Request Submission dialog box, review the information, and then choose Next.

  15. When the certificate process is complete, a notification message appears. Choose Finish.

Create and Install Certificates from the SCMDM2008GCM Template

The MDM GCM service resides on MDM Device Management Server and helps make sure that the communication between MDM Device Management Server and MDM Gateway Server is more secure. The procedures to create this certificate differ because this certificate is for a service instead of a Web site. The SCMDM2008GCM template provides this certificate to MDM Device Management Server.

Important

For best results, the same certification authority must issue both the MDM Gateway Server certificate and the MDM GCM certificate. Follow these steps to create the certificate:

To create and install the GCM certificate

  1. On MDM Device Management Server, open Internet Explorer. In the Address bar, type https://[yourCA]/certsrv where yourCA is the name or IP address of the certification authority.

  2. Select Request a Certificate, and then select Advanced Certificate Request.

  3. Select Create and Submit a Request to this CA.

  4. On the Advanced Certificate Request page, in the Certificate Template section, select SCMDM2008GCM from the list.

  5. Type the FQDN of the MDM Device Management Server for Name.

  6. Select the Store certificate in the local computer certificate store check box.

  7. Choose Submit.

  8. If the Potential Scripting Violation page appears, choose Yes.

  9. On the Certificate Issued page, select Install this certificate. If the Potential Scripting Violation page appears, choose Yes.

  10. The Certificate Installed page appears. Confirm the installation and then close Internet Explorer.

Provide Network Service Permissions to the Certificate

The MDM GCM service on MDM Device Management Server must have network permissions on the certificate to use it for more secure communication with MDM Gateway Server. Follow these steps immediately after you complete the previous steps.

To provide network service permissions to the certificate

  1. On MDM Device Management Server, open a Command Prompt window.

  2. Move to the %SystemDrive%:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys directory.

  3. Type dir /as /od, and then press ENTER. A list of private keys appears in ascending date order with the most recent key appearing last. Copy this string to Notepad for future reference. The format should resemble the following: 9aeda5eb71565f14f9f9560765b3a40d_39f7de58-5ee9-432d-8a6a-92783d7140b1.

    Important

    You only have to copy the machine key if the MDM GCM certificate was the last certificate created. Alternatively, to find the private key of a certificate, build the sample project at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=103625.

  4. In the %SystemDrive%:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys directory, run the following command:

    cacls “C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\<hash>” /E /G Network:R

    Note

    This sample assumes that [C:] is the system drive label for your computer. <hash> is the hash key from Step 3.

  5. Close the Command Prompt window.