Prerequisites for Certificate Profiles in Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

Note

The information in this topic applies only to System Center 2012 R2 Configuration Manager versions only.

Certificate profiles in System Center 2012 Configuration Manager have external dependencies and dependencies in the product.

Dependencies External to Configuration Manager

Dependency

More information

An enterprise issuing certification authority (CA) that is running Active Directory Certificate Services (AD CS).

To revoke certificates, the issuing CA must be configured with the Issue and Manage Certificates permission for the site server at the top of the hierarchy.

Note

Manager approval for certificate requests is supported. However, the certificate templates that are used to issue certificates must be configured for Supply in the request for the certificate subject so that Configuration Manager can automatically supply this value.

For more information about Active Directory Certificate Services, see your Windows Server documentation:

The Network Device Enrollment Service role service for Active Directory Certificate Services, running on Windows Server 2012 R2.

In addition:

  • Port numbers other than TCP 443 (for HTTPS) or TCP 80 (for HTTP) are not supported for the communication between the client and the Network Device Enrollment Service.

  • The server that is running the Network Device Enrollment Service must be on a different server from the issuing CA.

Configuration Manager communicates with the Network Device Enrollment Service in Windows Server 2012 R2 to generate and verify Simple Certificate Enrollment Protocol (SCEP) requests.

If you will issue certificates to users or devices that connect from the Internet, such as mobile devices that are managed by Microsoft Intune, those devices must be able to access the server that runs the Network Device Enrollment Service from the Internet. For example, install the server in a perimeter network (also known as a DMZ, demilitarized zone, and screened subnet).

If you have a firewall between the server that is running the Network Device Enrollment Service and the issuing CA, you must configure the firewall to allow the communication traffic (DCOM) between the two servers. This firewall requirement also applies to the server running the Configuration Manager site server and the issuing CA, so that Configuration Manager can revoke certificates.

If the Network Device Enrollment Service is configured to require SSL—a security best practice—make sure that connecting devices can access the certificate revocation list (CRL) to validate the server certificate.

For more information about the Network Device Enrollment Service in Windows Server 2012 R2, see Using a Policy Module with the Network Device Enrollment Service.

If the issuing CA runs Windows Server 2008 R2, this server requires a hotfix for SCEP renewal requests.

If the hotfix is not already installed on the issuing CA computer, install the hotfix. For more information, see article 2483564: Renewal request for an SCEP certificate fails in Windows Server 2008 R2 if the certificate is managed by using NDES in the Microsoft Knowledge Base.

A PKI client authentication certificate and exported root CA certificate.

This certificate authenticates the server that is running the Network Device Enrollment Service to Configuration Manager.

For more information, see PKI Certificate Requirements for Configuration Manager.

Supported device operating systems.

You can deploy certificate profiles to devices that run iOS, Windows 8.1, Windows RT 8.1, and Android operating systems.

Configuration Manager Dependencies

Dependency

More information

Certificate registration point site system role

Before you can use certificate profiles, you must install the certificate registration point site system role. This role communicates with the Configuration Manager database, the Configuration Manager site server, and the Configuration Manager Policy Module.

For more information about system requirements for this site system role and where to install the role in the hierarchy, see the following:

Important

The certificate registration point must not be installed on the same server that runs the Network Device Enrollment Service.

Configuration Manager Policy Module that is installed on the server that is running the Network Device Enrollment Service role service for Active Directory Certificate Services

To deploy certificate profiles, you must install the Configuration Manager Policy Module. You can find this policy module on the Configuration Manager installation media.

Discovery data

Values for the certificate subject and the subject alternative name are supplied by Configuration Manager and retrieved from information that is collected from discovery.

  • For user certificates: Active Directory User Discovery

  • For computer certificates: Active Directory System Discovery and Network Discovery

For more information about discovery, see Planning for Discovery in Configuration Manager.

Specific security permissions to manage certificate profiles

You must have the following security permissions to manage company resource access settings, such as certificate profiles, Wi-Fi profiles and VPN profiles:

  • To view and manage alerts and reports for certificate profiles: Create, Delete, Modify, Modify Report, Read, and Run Report for the Alerts object.

  • To create and manage certificate profiles: Author Policy, Modify Report, Read and Run Report for the Certificate Profile object.

  • To manage Wi-Fi, certificate and VPN profile deployments: Deploy Configuration Policies, Modify Client Status Alert, Read, and Read Resource for the Collection object.

  • To manage all configuration policies: Create, Delete, Modify, Read and Set Security Scope for the Configuration Policy object.

  • To run queries related to certificate profiles: Read permission for the Query object.

  • To view certificate profiles information in the Configuration Manager console: Read permission for the Site object.

  • To view status messages for certificate profiles: Read permission for the Status Messages object.

  • To create and modify the Trusted CA certificate profile: Author Policy, Modify Report, Read and Run Report for the Trusted CA Certificate Profile object.

  • To create and manage VPN profiles: Author Policy, Modify Report, Read and Run Report for the VPN Profile object.

  • To create and manage Wi-Fi profiles: Author Policy, Modify Report, Read and Run Report for the Wi-Fi Profile object.

The Company Resource Access Manager security role includes these permissions that are required to manage certificate profiles in Configuration Manager. For more information, see the Configure Role-Based Administration section in the Configuring Security for Configuration Manager topic.