In this post, I will explained how I converted my existing Configuration Manager communication from HTTP to HTTPS. In this implementation, I have only one management point which serves both internet and intranet clients. I am assuming you already have an Active Directory Enterprise Certification Authority in your environment. 

 

 

First We need to make sure CRL files are accesible over HTTP. So We will configure CRL Distribution Point. Normally, you shouldn't do this on issuing CA for security purposes. CRL should be published on a seperate system designated for that role.

Start Certification Authority and right click yourorganization.SERVER-CA

Select Extensions tab and select http://.... from the CDP List.

Make sure you also select Include in CRLs and Include in the CDP extension of issued certificates checkboxes.

 

Click Apply and OK. Restart the Active Directory Certificate Services.

 

We need 3 certificates for Configuration Manager HTTPS communication. Now we will create them.

a-Web Server Certificate

b-Client Certificate

c-Client Certificate for Distribution Points

 

Web Server Certificate:

This certificate will be used by Configuration site systems. Lets start creating a security group and add our site systems which run IIS as  members of this group. 

 

 

 

Open up Certification Authority and right click the Certificate Templates choose Manage.

 

Right click the Web Server certificate template and choose Duplicate Template

 

Select Windows Server 2003 Enterprise

 

Give a name to the new certificate template

 

 

Open Request Handling Tab and make sure  Supply in the request radio button is selected

 

 

 Click the Security Tab, remove Enroll from Domain and Enterprise Admins Group.

 

 

 

 

Click Add button and add SCCM Site Servers Group. Make sure Enroll and Read permissions are selected for this group. Apply and OK.

 

Close the window and return to main window of Certification Authority Console. Right click Certificate Template, select New, Choose Certificate template to Issue.

 

In Enable Certificate Templates window, Select the new template you just created. We are finished with CA fro now.

 

 

 

Request Web Certificate for IIS:

These procedure must be done on your IIS Server. Restart your IIS Server in order to make Server to get the new certificate template (ConfigMgrWebCertificate). Then start a MMC console Add certificate Snap-In for Computer Account.

 

 

 

 Choose Local Computer

 

 

 

Right click the Personal/Certificates/All Tasks/Request New Certificate

 

 On Select Certificate Enrollment Policy page, just click Next

 

 

Click the "More Information is required..." link

 

 

Under the Subject Tab, Change Alternative name Type as DNS. Type your local site server address into Value box and click Add. Then type your  internet site server address into Value box and click Add. Click Apply and Ok

 

 

 

Select web server certificate and click the Enroll button.

 

 

Configuring IIS:

We need to bind the installed certificate to the Default Web Site. On our Site System on which IIS runs, open control panel and select Administrative Tools and start IIS. Right click on Default Web Site and select "Edit Bindings".

 

 

 Select https and click Edit.

 

 

 

Select the certificate that we created for Web Server and click OK. Close IIS.

 

 

At this point, we need to create 2 more certificates. In Part 2, I am going to show you how to create Client Certificate step by step. 

 

ennlfrdeitptruestr

Hylafax Installation on Debian

Easy to start HylaFAX is a free linux-based fax server. It is used by many companies worldwide. In this article, we are going to install and configure HylaFAX.

More...

Creating Multiple Users on Active Directory

Docs / SupportIf you are working in an organization which receives a lot new users on several periods of the year, then you should handle creation of domain users  with the help of Powershell. 

More...

How To Change Default Computer OU

Native RTL SupportWhen you join a computer to the domain, Computer Object is created and placed in Default Computer Container which is not an organizational unit and we all know that, GPOs can be only applied to Organizational Units. 

More...

JSN Epic template designed by JoomlaShine.com