Let us learn about SCCM ConfigMgr Setup Co-Management CA PKI Request Export Certificates. I struggled to set up the PKI infrastructure in my lab environment. Setting up PKI infra is not a very easy task for SCCM admins.
But, I felt that it was straightforward when I tried the method explained in this post. In this post, we will see how to set up lab PKI (Certificate Authority) infra for co-management.
Also, we will see how to set up Co-Management PKI and create PKI certificates required for CMG & CDP.
Co-Management Related Posts
Overview Windows 10 Co-Management with Intune and SCCM Custom Report to Identify Machines Connected via SCCM CMG How to Setup Co-Management - Introduction - Prerequisites Part 1 How to Setup Co-Management - Firewall Ports Proxy Requirements Part 2 Setup Co-Management - AAD Connect UPN Suffix Part 3 Setup Co-Management - CA PKI & Certificates Part 4 (This Post) Setup Co-Management Cloud DP Azure Blob Storage Part 5 Setup Co-Management Azure Cloud Services CMG Part 6 SCCM Configure Settings for Client PKI certificates Part 7 How to Setup SCCM Co-Management to Offload Workloads to Intune - Part 8 How to Deploy SCCM Client from Intune - Co-Management - Part 9 End User Experience of Windows 10 Co-Management - Part 10
Content of this Post
Video Tutorial to Setup Co-Management PKI Certs Co-Management PKI and Certificate Requirements Setup PKI/CA Feature Server 2012 How to Get Ready with Certificates Required for Co-Management – Create Management Self Signed Certificate (Upload to Azure Portal) – Create Duplicate Certificate Templates for Web Server and Workstation Certs – Group Policy to Deploy Client certificate – Export the Custom Web Server & Root CA Certificate
Video Tutorial to Setup Co-Management PKI Certs
Co-Management PKI and Certificate Requirements
Co-management doesn’t have any PKI & certificate requirements. However, SCCM Cloud Management Gateway (CMG) and Cloud DP (CDP) have some PKI and certificate requirements. SCCM, CMG & CDP are required for most scenarios when an organization starts the journey of modern management.
I have a co-management post explaining PKI or CA certification requirements for CMG and CDP. I would recommend reading the following post How to Setup Co-Management Introduction Prerequisites.
Setup Co-Management PKI is a most difficult step if you don’t have PKI infra. In that case, you can try to use the Public certificate.
Setup PKI/CA Feature Server 2012
Install the PKI or Certificate Authority(CA) on the server 2012 server with the following PowerShell commands. I’m impressed with these two PowerShell commands. This is the easiest way to set up Co-Management PKI. Those two commands do everything for you.
Using Windows PowerShell, open Windows PowerShell and type the following command, and then press ENTER.
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
After AD CS is installed, type the following command and press ENTER.
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA
We can confirm whether the CA environment is working or not with the tool PKIVIEW.msc. More information about the health of the CA environment from a quick check on CA health article.
How to Get Ready with Certificates Required for Co-Management
I have explained the step-by-step process to create the certs required for Co-management in the video tutorial. Once you complete the setup of Co-Management PKI, then you can start configuring the certs.
- Create Management Self Signed Certificate (Upload to Azure Portal)
We need to create a management self-signed certificate for Azure Cloud DP installation. For SCCM CMG, this is not required when you use ARM instead of the classic deployment method (only available SCCM 1802 or later).
I recommend reading the prerequisite post to get more details about CMG and CDP cert requirements. Read more information about Azure management certificates.
Following is the PowerShell command, which can create the management certs for CMG (optional) & CMD.
– $cert = New-SelfSignedCertificate -DnsName yourdomain.cloudapp.net -CertStoreLocation “cert:\LocalMachine\My” -KeyLength 2048 -KeySpec “KeyExchange” $password = ConvertTo-SecureString -String “your-password” -Force -AsPlainText – PfxCertificate -Cert $cert -FilePath “.\my-cert-file.pfx” -Password $password – Export-Certificate -Type CERT -Cert $cert -FilePath .\my-cert-file.cer
- 2. Create Duplicate Certificate Templates for Web Server and Workstation Certs
In this section, we will see how to create duplicate certificate templates for:-
- Web server Auth certificate for SCCM site systems that run IIS
- Web Server Auth service certificate for CDP/CMG
- Workstation Authentication certificate
I have explained the duplicate certificate template creation process in the video tutorial. I recommend reading through the Microsoft documentation(CDP) to get more details about duplicate templates.
- 3. Group Policy to Deploy Client certificate
In the video tutorial, I have shown how to create a group policy to deploy client certificates to all the domain-joined devices.
- 4. Request the Custom Web Server Certificate
Request the custom web server certificate for CMG, CDP, and SCCM site Servers IIS. This procedure requests and then installs the custom web server certificate on the member server that will run the site server.
I would recommend reading Microsoft documentation (CDP/IIS) to learn more about the process. Also, keep reading about CMG documentation. I have a video tutorial that shows how to request the custom web server certificates for CMG, CDP, and IIS.
5. Export the Custom Web Server & Root CA Certificate
Export the custom web server certificate for CDP, CMG, Root CA, and SCCM site Servers.
This procedure exports the custom web server certificate to a file so that it can be imported when you create the cloud-based distribution point, Cloud Management Gateway, Root CA, and IIS.
I would recommend reading Microsoft documentation (CDP/IIS) to learn more about the process. Also, keep reading about CMG documentation. I have a video tutorial that shows how to request the custom web server certificates for CMG, CDP, Root CA, and IIS.