How to Specify the Client Certificate Store

When Configuration Manager 2007 is operating in native mode, clients communicate with the site using a client certificate that is managed externally to Configuration Manager 2007.

By default, a Configuration Manager 2007 client will look for a suitable certificate in the Computer Personal store. If this is the location of the deployed client certificate, there is nothing further to configure. However, if the client certificate is stored in an alternative location, you must specify the client certificate store.

There are two supported procedures you can use for this configuration. Choose the procedure that is suitable for your environment. The two procedures are as follows:

• Publish the settings to Active Directory Domain Services. To publish the settings to Active Directory Domain Services, specify the settings on the Site Properties: Site Mode tab. For clients to be configured with the settings using this configuration method, the following conditions must all apply:

  • Active Directory Domain Services must be extended with the Configuration Manager 2007 schema extensions.

  • The site must be publishing to Active Directory Domain Services.

  • Clients must be on the intranet.

  • Clients must be from the same Active Directory forest as the site server's forest.

• Specify the settings using CCMSetup.exe command-line options. You can use CCMSetup options when the client is first installed or when they are supplied as a script to run after installation, which will reinstall the client with the new configuration. If the client is already installed, you can use the software distribution feature to send the CCMSetup commands to the client, or you can use Configuration Manager 2007 task sequences to achieve this. If the settings supplied with CCMSetup conflict with those published to Active Directory Domain Services and clients can access the settings in the Active Directory Domain Services, the settings from Active Directory Domain Services will take precedence and the settings specified with CCMSetup will not be used.

Additionally, you can also specify the settings using your in-house client management tools, which might include incorporating the settings in a standard build image and deploying custom scripts to edit the registry.

To specify the client certificate store by publishing the setting to Active Directory Domain Services:

1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management.

2. Right-click <site code> - ** <site name> and then click Properties.

3. On the Site Mode tab in the site properties dialog box, ensure that the site mode is configured for Native and enter the alternative certificate store you want to use in the text box for Certificate store name.

4. Click OK.

To specify the client certificate store by specifying the setting using CCMSetup.exe command-line options:

• Use CCMSetup.exe with the client.msi parameter ccmcertstore. For more information about CCMSetup options, see About Configuration Manager Client Installation Properties.

See Also

Concepts

Certificate Requirements for Native Mode
Determine If You Need to Specify Client Certificate Settings (Native Mode)