SCCM ConfigMgr Setup Co-Management CA PKI Request Export Certificates

Let us learn about SCCM ConfigMgr Setup Co-Management CA PKI Request Export Certificates. I struggled to set up the PKI infrastructure in my lab environment. Setting up PKI infra is not a very easy task for SCCM admins.

But, I felt that it was straightforward when I tried the method explained in this post. In this post, we will see how to set up lab PKI (Certificate Authority) infra for co-management.

Also, we will see how to set up Co-Management PKI and create PKI certificates required for CMG & CDP.

Co-Management Related Posts

All Co-Management Video tutorials in one post.

Patch My PC
Overview Windows 10 Co-Management with Intune and SCCM 
Custom Report to Identify Machines Connected via SCCM CMG  
How to Setup Co-Management - Introduction - Prerequisites Part 1 
How to Setup Co-Management - Firewall Ports Proxy Requirements Part 2 
Setup Co-Management - AAD Connect UPN Suffix Part 3 
Setup Co-Management - CA PKI & Certificates Part 4 (This Post)
Setup Co-Management Cloud DP Azure Blob Storage Part 5 
Setup Co-Management Azure Cloud Services CMG Part 6
SCCM Configure Settings for Client PKI certificates Part 7
How to Setup SCCM Co-Management to Offload Workloads to Intune - Part 8
How to Deploy SCCM Client from Intune - Co-Management - Part 9
End User Experience of Windows 10 Co-Management - Part 10

Content of this Post

Video Tutorial to Setup Co-Management PKI Certs Co-Management PKI and Certificate Requirements Setup PKI/CA Feature Server 2012 How to Get Ready with Certificates Required for Co-Management – Create Management Self Signed Certificate (Upload to Azure Portal)    – Create Duplicate Certificate Templates for Web Server and Workstation Certs – Group Policy to Deploy Client certificate    – Export the Custom Web Server & Root CA Certificate

Video Tutorial to Setup Co-Management PKI Certs

SCCM ConfigMgr Setup Co-Management CA PKI Request Export Certificates

Co-Management PKI and Certificate Requirements

Co-management doesn’t have any PKI & certificate requirements. However, SCCM Cloud Management Gateway (CMG) and Cloud DP (CDP) have some PKI and certificate requirements. SCCM, CMG & CDP are required for most scenarios when an organization starts the journey of modern management.

I have a co-management post explaining PKI or CA certification requirements for CMG and CDP. I would recommend reading the following post How to Setup Co-Management Introduction Prerequisites.

Setup Co-Management PKI is a most difficult step if you don’t have PKI infra. In that case, you can try to use the Public certificate.

Adaptiva

Setup PKI/CA Feature Server 2012

Install the PKI or Certificate Authority(CA) on the server 2012 server with the following PowerShell commands. I’m impressed with these two PowerShell commands. This is the easiest way to set up Co-Management PKI. Those two commands do everything for you.

Using Windows PowerShell, open Windows PowerShell and type the following command, and then press ENTER.

Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools

After AD CS is installed, type the following command and press ENTER.

Install-AdcsCertificationAuthority -CAType EnterpriseRootCA

We can confirm whether the CA environment is working or not with the tool PKIVIEW.msc. More information about the health of the CA environment from a quick check on CA health article.

How to Get Ready with Certificates Required for Co-Management

I have explained the step-by-step process to create the certs required for Co-management in the video tutorial. Once you complete the setup of Co-Management PKI, then you can start configuring the certs.

  1. Create Management Self Signed Certificate (Upload to Azure Portal)

We need to create a management self-signed certificate for Azure Cloud DP installation. For SCCM CMG, this is not required when you use ARM instead of the classic deployment method (only available SCCM 1802 or later).

I recommend reading the prerequisite post to get more details about CMG and CDP cert requirements. Read more information about Azure management certificates.

Following is the PowerShell command, which can create the management certs for CMG (optional) & CMD.

– $cert = New-SelfSignedCertificate -DnsName yourdomain.cloudapp.net -CertStoreLocation “cert:\LocalMachine\My” -KeyLength 2048 -KeySpec “KeyExchange” $password = ConvertTo-SecureString -String “your-password” -Force -AsPlainText – PfxCertificate -Cert $cert -FilePath “.\my-cert-file.pfx” -Password $password – Export-Certificate -Type CERT -Cert $cert -FilePath .\my-cert-file.cer

  • 2. Create Duplicate Certificate Templates for Web Server and Workstation Certs

In this section, we will see how to create duplicate certificate templates for:-

  • Web server Auth certificate for SCCM site systems that run IIS
  • Web Server Auth service certificate for CDP/CMG
  • Workstation Authentication certificate

I have explained the duplicate certificate template creation process in the video tutorial. I recommend reading through the Microsoft documentation(CDP) to get more details about duplicate templates.

Please note there are a couple of changes for CMG certs. I recommend reading the Microsoft documentation (CMG) to have more details. I have shown the exact steps in the Video Tutorial as well.

  • 3. Group Policy to Deploy Client certificate

In the video tutorial, I have shown how to create a group policy to deploy client certificates to all the domain-joined devices. 

Configure autoenrollment of the Workstation Authentication template by using Group Policy. Microsoft documentation to get more details on Group Policy creation.

  • 4. Request the Custom Web Server Certificate

Request the custom web server certificate for CMG, CDP, and SCCM site Servers IIS. This procedure requests and then installs the custom web server certificate on the member server that will run the site server.

I would recommend reading Microsoft documentation  (CDP/IIS) to learn more about the process. Also, keep reading about CMG documentation. I have a video tutorial that shows how to request the custom web server certificates for CMG, CDP, and IIS.

5. Export the Custom Web Server & Root CA Certificate

Export the custom web server certificate for CDP, CMG, Root CA, and SCCM site Servers. 

This procedure exports the custom web server certificate to a file so that it can be imported when you create the cloud-based distribution point, Cloud Management Gateway, Root CA, and IIS.

I would recommend reading Microsoft documentation (CDP/IIS) to learn more about the process. Also, keep reading about CMG documentation. I have a video tutorial that shows how to request the custom web server certificates for CMG, CDP, Root CA, and IIS.

1 thought on “SCCM ConfigMgr Setup Co-Management CA PKI Request Export Certificates”

  1. Please describe Infra setup used for Co-management like site servers where certs needs to be imported.
    Are you using separate site for CMG/CDP ?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.