I struggled to setup the PKI infrastructure in my lab environment. Setting up PKI infra is not a very easy task for SCCM admins. But, I felt that it’s straightforward when I tried the method explained in this post. In this post, we will see how to setup lab PKI (Certificate Authority) infra for co-management. Also, we will also see how to setup Co-Management PKI, create PKI certificates required for CMG & CDP.
Table of Contents
Co-Management Related Posts
All Co Management Video Tutorial in one post here.
Overview Windows 10 Co-Management with Intune and SCCM Custom Report to Identify Machines Connected via SCCM CMG How to Setup Co-Management - Introduction - Prerequisites Part 1 How to Setup Co-Management - Firewall Ports Proxy Requirements Part 2 Setup Co-Management - AAD Connect UPN Suffix Part 3 Setup Co-Management - CA PKI & Certificates Part 4 (This Post) Setup Co-Management Cloud DP Azure Blob Storage Part 5 Setup Co-Management Azure Cloud Services CMG Part 6 SCCM Configure Settings for Client PKI certificates Part 7 How to Setup SCCM Co-Management to Offload Workloads to Intune - Part 8 How to Deploy SCCM Client from Intune - Co-Management - Part 9 End User Experience of Windows 10 Co-Management - Part 10
Content of this Post
Video Tutorial to Setup Co-Management PKI Certs Co-Management PKI and Certificate Requirements Setup PKI/CA Feature Server 2012 How to Get Ready with Certificates Required for Co-Management - Create Management Self Signed Certificate (Upload to Azure Portal) - Create Duplicate Certificate Templates for Web Server and Workstation Certs - Group Policy to Deploy Client certificate - Export the Custom Web Server & Root CA Certificate
Video Tutorial to Setup Co-Management PKI Certs
Co-Management PKI and Certificate Requirements
Co-management doesn’t have any PKI & certificate requirements. However, SCCM Cloud Management Gateway (CMG) and Cloud DP (CDP) have some PKI and certificate requirements. SCCM CMG & CDP are required for most of the scenarios when an organisation starts the journey of modern management.
I have a co-management post which explains about PKI or CA certs requirements for CMG and CDP. I would recommend reading the following post How to Setup Co-Management Introduction Prerequisites. Setup Co-Management PKI is a most difficult step if you don’t have PKI infra. In that case, you can try to use the Public certificate.
Setup PKI/CA Feature Server 2012
Install the PKI or Certificate Authority(CA) on server 2012 server with following PowerShell commands. I’m really impressed with these two PowerShell commands. This is the easiest way to setup Co-Management PKI. Those two commands do everything for you.
This procedure by using Windows PowerShell, open Windows PowerShell and type the following command, and then press ENTER.
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
After AD CS is installed, type the following command and press ENTER.
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA
We can confirm whether CA environment is working or not with the tool PKIVIEW.msc. More information about the health of CA environment from a quick check on CA health article.
How to Get Ready with Certificates Required for Co-Management
I have explained the step by step process to create the certs required for Co-management in the video tutorial. Once you complete the setup of Co-Management PKI, then you can start configuring the certs.
- Create Management Self Signed Certificate (Upload to Azure Portal)
We need to create management self-signed certificate for Azure Cloud DP installation. For SCCM CMG this is not required when you use ARM instead of classic deployment method (only available SCCM 1802 or later). I would recommend reading the prerequisite post to get more details about CMG and CDP cert requirements. Read more details about Azure management certificates.
Following is the PowerShell command which can be used to create the management certs for CMG (optional) & CMD.
- $cert = New-SelfSignedCertificate -DnsName yourdomain.cloudapp.net -CertStoreLocation "cert:\LocalMachine\My" -KeyLength 2048 -KeySpec "KeyExchange" $password = ConvertTo-SecureString -String "your-password" -Force -AsPlainText - PfxCertificate -Cert $cert -FilePath ".\my-cert-file.pfx" -Password $password - Export-Certificate -Type CERT -Cert $cert -FilePath .\my-cert-file.cer
2. Create Duplicate Certificate Templates for Web Server and Workstation Certs
In this section, we will see how to create duplicate certificate templates for:-
- Web server Auth certificate for SCCM site systems that run IIS
- Web Server Auth service certificate for CDP/CMG
- Workstation Authentication certificate
I have explained end to end duplicate certificate template creation process in the video tutorial. I would recommend reading through the Microsoft documentation(CDP) to get more details about duplicate templates.
3. Group Policy to Deploy Client certificate
I have shown in the video tutorial, how to create Group policy to deploy client certificate to all the domain joined devices. Configure autoenrollment of the Workstation Authentication template by using Group Policy. Microsoft documentation to get more details on Group Policy creation.
4. Request the Custom Web Server Certificate
Request the custom web server certificate for CMG, CDP, and SCCM site Servers IIS. This procedure requests and then installs the custom web server certificate on the member server that will run the site server.
I would recommend reading Microsoft documentation (CDP/IIS) to learn more about the process. Also, keep reading about CMG documentation. I have a video tutorial shows how to request the custom web server certificates for CMG, CDP, and IIS.
5. Export the Custom Web Server & Root CA Certificate
Export the custom web server certificate for CDP, CMG, Root CA, and SCCM site Servers. This procedure exports the custom web server certificate to a file, so that it can be imported when you create the cloud-based distribution point, Cloud Management Gateway, Root CA, and IIS.
I would recommend reading Microsoft documentation (CDP/IIS) to learn more about the process. Also, keep reading about CMG documentation. I have a video tutorial that shows how to request the custom web server certificates for CMG, CDP, Root CA, and IIS.