Requirements for Certification Authority Configuration

2/9/2009

Review the following requirements when you configure a certification authority that the MDM system components will access:

• Enable issuing Secure Sockets Layer (SSL) certificates: After you run the Active Directory Configuration Tool (ADConfig) to create the certificate templates, you must enable the certification authority to issue the certificate templates. Otherwise, MDM will not automatically issue the certificates during setup. The ability to issue Web server SSL certificates is required to enable all MDM certificates. This includes certificates for managed Windows Mobile devices and MDM system components, to roll up to a single root certification authority. A rollup to a single root certification authority is required for MDM.
  Or, you can configure the certificates manually, and issue them from any certification authority, so long as it rolls up to the same root certification authority. For information on creating certificates manually, see Manual Certificate Procedures in the Technical Reference section of the MDM Deployment Guide.
• Configure required client certificate renewal settings: You must enable the following settings on the certification authority to support client certificate renewal directly by using the certification authority server Web site:
  • Accept client certificates
  • Enable client certificate mapping
    For information on configuring client certificate renewal, see Enable Client Certificate Renewal.
• Restart MDM Enrollment Service NT service after updating group membership: If you add a new member to the CERTSVC_DCOM_ACCESS group, you must restart the Microsoft Windows NT service on servers running MDM Enrollment Server. This updates the new group membership information Kerberos ticket on MDM Enrollment Server.
• Make sure that Request Certificates permissions are configured: If you have changed the default permissions on the certification authority to disable Request Certificates for authenticated users, MDM Setup might be unable to obtain required certificates. To enable Setup to obtain certificates, you must manually grant Request Certificates permissions to the SCMDMServerAdmins group.