Setting up a secure communication

In the previous versions of Configuration Manager, setting up a secure communication on your site was often difficult and not very flexible in that we could only tell clients to communicate using one mode or another. This was known as mixed mode and native mode, which was set at a site level. With Configuration Manager 2012, these site modes have gone and site system roles now support communication with either HTTP or HTTPS depending on the configuration. This has been moved from the site configuration and makes it much easier to set up and deploy, even in live environments.

Tip

Secure communication in Configuration Manager 2012 is a whole new ball game; the way we set up the site for secure communication is completely different from previous versions.

In this section, we will go through the entire setup process to have your client's communication with site system roles secure using HTTPS.

Preparing the certificate authority

In the examples here, we will be using Active Directory Certificate Services as part of a Windows Server 2012 R2 Active Directory Domain. The setup process is the same as in the previous versions; however, where applicable, differences will be highlighted.

Our lab environment where we will generate certificates is also running certificate services on the domain controller. This is not a good practice for a production environment, and you should always design your certificate authority in a secure manner that is recommended by the vendor. More information on setting up a Microsoft certificate authority can be found on TechNet at http://bit.ly/1rgzWwK.

As part of the certificate services installation, the following role services are also available:

• Certification authority
• Certificate enrollment policy web service
• Certificate enrollment web service
• Certification authority web enrolment service
• Network device enrollment service
• Online responder

We will only be deploying the certification authority in our environment; you may require others in your environment.

Tip

Remember that certificate services is a service other applications can call upon; always take this into account when configuring the service. Work with your security team and other teams to ensure an existing certificate authority does not already exist.

Setting up certificate services using the user interface

Similar to most actions in Windows Server 2012 R2, from the Server Manager either navigate to Manage and Add Roles and Features or perform the same action from the Quick Start menu. On the Add Roles and Features Wizard window, as shown in the following screenshot, click on Next through all the wizard pages until you get to the Server Roles page. From here, tick Active Directory Certificate Services, accept the default options that appear, and then click on Next to skip onto the Active Directory Certificate Services Role Services page. The only option you should have ticked on the Role Services page is Certification Authority. In our environment for lab purposes, this is the only option we require.

Click on Next to go to the confirmation page where you can press Install and let the certification authority install on your server. Depending on the configuration of your server, this should take no longer than one minute to complete.

On the completion screen, you should see a blue link in the middle of the screen that says Configure Active Directory Certificate Services on the destination server. Click on this link to begin the configuration of the role that we have just installed. In the following wizard, specify a domain account. The screen provides you with information on the permissions required by the account. Then, click on Next.

Tick the box for the Certification Authority option on the Role Services screen and then click on Next. Make sure the setup type is Enterprise CA and the CA type is Root CA. Click on Next.

Select the option to create a new private key and then click on Next, as shown in the following screenshot:

Accept the default options all the way through to the confirmation screen. Review the options on the screen, and when you are happy, click on Configure.

Again, depending on the configuration of your server, this should take no longer than one minute to complete. Click on Close twice to close down the configuration and role installation screens. At this point, you can also close Server Manager. Certificate services have now been installed and configured on your server.

Setting up certificate services using PowerShell

If you prefer to use PowerShell, then you can also use it to set up certificate services on your server. Simply launch the PowerShell prompt as an administrator and type the following command to make sure the server manager module is available:

Import-Module ServerManager

Once this command has been executed, run the following command from the same window to install the certificate authority feature:

Add-WindowsFeature Adcs-Cert-Authority

When the feature has been installed, we need to configure the feature just like when we use the user interface. In the same window as the previous two commands, execute the following command:

Install-AdcsCertificationAuthority -CAType EnterpriseRootCa -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -KeyLength 2048 -HashAlgorithmName SHA1 -ValidityPeriod Years -ValidityPeriodUnits 5

Tip

PowerShell is a fantastic way to automate how you deploy services and servers. Consider using PowerShell where possible to keep your setup consistent.

Configuring certificate templates

Configuration Manager might require a number of certificate templates for a number of different uses. Here, we will look at the configuration of some of the most common certificates used in Configuration Manager. Before we look at this, you will need a security group in Active Directory called CM IIS Servers. If you have a standard naming convention for security groups, then feel free to adopt that format for this group.

In this group, add any servers that have or will have IIS installed to perform functionality for Configuration Manager, such as a distribution point or management point. This security group will be used to provide permission to certificate templates to ensure only the correct servers have access to provision the certificate.

A full guide to deploying the rest of the certificates other than the ones noted here can be found on TechNet at http://technet.microsoft.com/en-us/library/gg682023.aspx.

Creating the web server certificate template

Open the Certificate Authority console and navigate to the Certificate Templates node, right-click in the pane displayed and click on Manage. This will open the certificate template console where the template will be created. Right-click on the certificate template called Web Server and click on Duplicate.

Note

Always ensure that your certificate templates are created with Windows Server 2003, Enterprise Edition as the compatibility settings or the default options if you are using Windows Server 2012.

In the General tab of the new template properties, enter CM Web Server Certificate as the template display name, as shown in the following screenshot. In the Subject Name tab, ensure that Supply in the request is also selected.

Permissions for both domain administrators and enterprise administrators should not have the Enroll option ticked. Finally, add the security group that you have created and ensure this group has the Read and Enroll permissions selected. No other permissions are required.

Click on OK to close the Properties window, which will also create the new template. This certificate is now ready to be marked for issuing.

Creating the client certificate for distribution points

Open the Certificate Authority console and navigate to the Certificate Templates node; right-click on the pane displayed and click on Manage. This will open the certificate template console where the template will be created. Right-click on the certificate template called Workstation Authentication and click on Duplicate.

Note

Always ensure that your certificate templates are created with Windows Server 2003, Enterprise Edition as the compatibility settings or the default options if you are using Windows Server 2012.

In the General tab of the new template properties, enter CM Client DP Certificate as the template display name, as shown in the following screenshot. In the Request Handling tab, ensure that Allow private key to be exported is also selected.

In the Security tab, for enterprise administrators ensure that the Enroll permission is not ticked. Finally, add the security group that you have created and ensure this group has the Read and Enroll permissions selected. No other permissions are required.

Click on OK to close the Properties window, which will also create the new template. This certificate is now ready to be marked for issuing.

Creating the client certificate for Windows computers

Open the Certificate Authority console and navigate to the Certificate Templates node, right-click in the pane displayed, and click on Manage. This will open the certificate template console where the template will be created. Right-click on the certificate template called Workstation Authentication and click on Duplicate.

Note

Always ensure that your certificate templates are created with Windows Server 2003, Enterprise Edition as the compatibility settings or the default options if you are using Windows Server 2012.

In the General tab of the new template properties, enter CM Client Certificate as the template display name, as shown in the following screenshot. In the Security tab, for domain computers make sure that Autoenroll and Enroll are ticked as well as Read.

These permissions ensure that computers can automatically obtain the certificate when set up via group policy. This negates the need for you to manually issue a workstation certificate to every Windows computer where you install the Configuration Manager agent.

Click on OK to close the Properties window, which will also create the new template. This certificate is now ready to be marked for issuing.

Issuing certificate templates

When all your certificate templates have been created, you need to issue these so that they can be requested by the appropriate client devices and servers. Open the Certificate Authority console and navigate to the Certificate Templates node. Right-click on the certificate templates, select New, and then select Certificate Templates to Issue.

Select multiple certificates by using the Ctrl key and clicking on the certificates. Once you have selected all of the certificates, click on OK. These certificates are now ready to be enrolled by workstations and clients.

Requesting the web server certificate

On each IIS server, go to Start and then Run. Type certlm.msc to open the Certificates console, this should automatically connect to the local computer. You can verify this by checking the contents of the text at the top node on the left-hand side of the console. Right-click on Personal and then select Request New Certificate from the All tasks option. Select the default enrolment policy.

Tick the CM Web Server Certificate checkbox; you will notice that under the certificate a warning triangle is displayed. This is because the certificate requires additional information before you can enroll for it. Click on the link below the certificate to begin the configuration of the certificate.

Tip

You can also enroll certificates using PowerShell. There is a great reference on how to perform this action on TechNet at http://bit.ly/1zbc2r0.

Under the Subject tab, select DNS from the Type dropdown under Alternative name, as shown in the following screenshot; enter all the possible scenarios for the name of the server. This includes FQDN and also any Internet names if the server is Internet facing.

Once this information has been entered and verified, click on OK. You will then be returned to the enrollment page where you can click on the Enroll button to obtain the certificate. Now in the personal certificate store, you should see the certificate we have just provisioned.

Requesting the client certificate for distribution points

On the distribution point server, go to Start and then to Run. Type certlm.msc to open the Certificates console; this should automatically connect to the local computer. You can verify this by checking the contents of the text at the top node on the left-hand side of the console. Right-click on Personal and then select Request New Certificate from the All tasks option. Select the default enrolment policy.

Tick the CM Client DP Certificate checkbox from the list of available certificates, and then click on Enroll. You should then see the certificate in the personal certificate store for the local system and not the current user.

Exporting the distribution point client certificate

Once the certificate has been enrolled by the server, you need to export the certificate so it can then be imported into Configuration Manager. Select the certificate that you have just provisioned; right-click on the certificate and select Export from All tasks.

Tip

If you are not sure which certificate to export, scroll to the right of the console where you can find the certificate name. This will help you determine which certificate to export.

To export the certificate, the following process should be followed.

1. On the Export Private Key page, check the option to allow the private key to be exported.
2. On the Export File Format page, ensure that the option Personal Information Exchange - PKCS #12 (.PFX) is checked; this will ensure that the format of the export is correct.
3. On the Password page, specify a password to protect the exported certificate with the private key, and then click on Next.
4. On the File to Export page, specify the name of the file that you want to export, and then click on Next.

   Tip

   You should consider storing the password for the certificate in a password safe, for example, or at another safe location.

Deploying the client certificate for Windows workstations

Create a new group policy object and give the policy an appropriate name. Open the policy to edit it, expand Policies under Computer Configuration. From here, expand the nodes to the Windows Settings/Security Settings/Public Key Policies path.

From here, open the Certificate Services Client – Auto-enrollment object by selecting Properties. Configure the options as shown in the following screenshot, ensure the configuration model is set to Enabled, and then make sure both of the checkboxes are ticked:

Make sure this group policy is linked; assign any security that you might want for the group policy object. The next time a workstation reboots, the policy will take effect and clients should automatically enroll the certificate.

Configuring IIS to use the distribution point certificate

Once the certificate for the distribution point is provisioned, you need to configure IIS to use the certificate. Open the IIS Manager and navigate to the default website. On the actions pane below the right-hand side of the console, select Bindings.

From the Site Bindings screen, select the HTTPS binding (port 443 by default) and select Edit, as shown in the following screenshot:

Select the certificate from the list of available certificates. If you have more than one certificate listed, click on the Select button where you can view more details on the certificates available to IIS.

Click on OK once you have selected the certificate and then click on Close. You can now close IIS Manager. You can verify that the certificate is working correctly by browsing to https://servername/ (replacing servername with the name of your site system role you have installed the certificate on). Make sure you test all the DNS names that you entered when you provisioned the certificate to verify it is working properly. Your browser should show no certificate warnings and display something similar to the following screenshot:

Tip

You can use the same certificate here for a management point as well as a distribution point. The process is the same for provisioning the certificate as well as for configuring IIS.