SCCM ConfigMgr Setup Co-Management CA PKI Request Export Certificates

Let us learn about SCCM ConfigMgr Setup Co-Management CA PKI Request Export Certificates. I struggled to set up the PKI infrastructure in my lab environment. Setting up PKI infrastructure is not easy for SCCM admins.

However, when I tried the method explained in this post, I felt it was straightforward. This post will show how to set up lab PKI (Certificate Authority) infra for co-management.

We will also see how to set up Co-Management PKI and create the PKI certificates required for CMG and CDP.

I have a co-management post explaining PKI or CA certification requirements for CMG and CDP. I recommend reading the following post How to Setup Co-Management Introduction Prerequisites.

Patch My PC

Video Tutorial to Setup Co-Management PKI Certs

The following video tutorial explained how to Setup SCCM ConfigMgr Co-Management CA PKI Request Export Certificates.

SCCM ConfigMgr Setup Co-Management CA PKI Request Export Certificates – Video 1

Co-Management PKI and Certificate Requirements

Co-management doesn’t have any PKI & certificate requirements. However, SCCM Cloud Management Gateway (CMG) and Cloud DP (CDP) have some PKI and certificate requirements. SCCM, CMG & CDP are required for most scenarios when an organization starts the journey of modern management.

Adaptiva

Setup Co-Management PKI is a very difficult steps if you don’t have PKI infra. In that case, you can try using the Public certificate.

Setup PKI/CA Feature Server 2012

Install the PKI or Certificate Authority(CA) on the 2012 server with the following PowerShell commands. I’m impressed with these two PowerShell commands. This is the easiest way to set up Co-Management PKI. Those two commands do everything for you.

SCCM ConfigMgr Setup Co-Management CA PKI Request Export Certificates - Fig.1
SCCM ConfigMgr Setup Co-Management CA PKI Request Export Certificates – Fig.1

Using Windows PowerShell, open Windows PowerShell, type the following command, and then press ENTER.

Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools

After AD CS is installed, type the following command and press ENTER.

Install-AdcsCertificationAuthority -CAType EnterpriseRootCA

We can confirm whether the CA environment is working with the tool PKIVIEW.msc. More information about the health of the CA environment can be found in a quick check of the CA health health article.

How to Get Ready with Certificates Required for Co-Management (Setup Co-Management CA PKI)

In the video tutorial, I explain the step-by-step process for creating the certificates required for Co-management. Once you complete the setup of the Co-Management PKI, you can start configuring the certificates. (SCCM ConfigMgr Setup Co-Management CA PKI Request Export Certificates)

  1. Create Management Self-Signed Certificate (Upload to Azure Portal)

We need to create a management self-signed certificate for Azure Cloud DP installation. For SCCM CMG, this is not required when you use ARM instead of the classic deployment method (only available SCCM 1802 or later).

I recommend reading the prerequisite post for more details about CMG and CDP cert requirements. You can also read more information about Azure management certificates.

The PowerShell command can create the management certs for CMG (optional) & CMD.

– $cert = New-SelfSignedCertificate -DnsName yourdomain.cloudapp.net -CertStoreLocation “cert:\LocalMachine\My” -KeyLength 2048 -KeySpec “KeyExchange” $password = ConvertTo-SecureString -String “your-password” -Force -AsPlainText – PfxCertificate -Cert $cert -FilePath “.\my-cert-file.pfx” -Password $password – Export-Certificate -Type CERT -Cert $cert -FilePath .\my-cert-file.cer

  • 2. Create Duplicate Certificate Templates for Web Server and Workstation Certs

In this section, we will see how to create duplicate certificate templates for:-

  • Web server Auth certificate for SCCM site systems that run IIS
  • Web Server Auth service certificate for CDP/CMG
  • Workstation Authentication certificate

The video tutorial explains the process of creating duplicate certificate templates. I recommend reading the Microsoft documentation(CDP) for more details about duplicate templates.

Please note there are a couple of changes for CMG certs. I recommend reading the Microsoft documentation (CMG) to have more details. I have shown the exact steps in the Video Tutorial as well.

  • 3. Group Policy to Deploy Client Certificate

In the video tutorial, I have shown how to create a group policy to deploy client certificates to all the domain-joined devices. 

Use Group Policy to configure the Workstation Authentication template’s autoenrollment. See the Microsoft documentation for more details on creating Group Policy.

  • 4. Request the Custom Web Server Certificate

Request the custom web server certificate for CMG, CDP, and SCCM site Servers IIS. This procedure requests and then installs the custom web server certificate on the member server that will run the site server.

I recommend reading Microsoft documentation  (CDP/IIS) to learn more about the process. Also, keep reading about CMG documentation. I have a video tutorial that shows how to request custom web server certificates for CMG, CDP, and IIS. (SCCM ConfigMgr Setup Co-Management CA PKI Request Export Certificates)

5. Export the Custom Web Server & Root CA Certificate

Export the custom web server certificate for CDP, CMG, Root CA, and SCCM site Servers. 

This procedure exports the custom web server certificate to a file to be imported when you create the cloud-based distribution point, Cloud Management Gateway, Root CA, and IIS.

I recommend reading Microsoft documentation (CDP/IIS) to learn more about the process. Also, keep reading about CMG documentation. I have a video tutorial that shows how to request custom web server certificates for CMG, CDP, Root CA, and IIS.

We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His primary focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

1 thought on “SCCM ConfigMgr Setup Co-Management CA PKI Request Export Certificates”

  1. Please describe Infra setup used for Co-management like site servers where certs needs to be imported.
    Are you using separate site for CMG/CDP ?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.