
Deploying the Site Server Signing Certificate to the Site Server

The site server in a Configuration Manager 2007 native mode site requires a custom public key infrastructure (PKI) certificate before the site can operate in native mode.


Every site in the Configuration Manager 2007 hierarchy that is configured for native mode requires that each site server has its own site server signing certificate. This includes a central site that is used for reporting and has no clients assigned to it.

You can deploy the site server signing certificate in a number of ways, including the following methods:

  • If you are using a Microsoft PKI with an Enterprise certification authority using the Enterprise edition of Microsoft Windows Server 2003, you can modify a version 2 (v2) certificate template to create a site server signing certificate that can be requested online from the site server. Configure the template so that only site servers have read and enroll permissions and the subject name is supplied when the certificate is requested by each site server. For additional security, configure the template for manual approval.

  • If you are using a Microsoft PKI with Web enrollment, you can request a custom certificate using the Web enrollment pages. If you are using the Enterprise edition of Windows Server 2003 with a modified v2 certificate template, you can request a certificate based on this template on the Web enrollment page, with the benefit of having the certificate requirements automatically configured with the template.

  • If you are running Internet Information Services (IIS) on the site server, you can request this certificate through IIS as either an online request or a file request.

  • You can request and retrieve the certificate using the Microsoft Certreq command-line utility.

  • If you can create the certificate with your certificate management tools, you can export it and import it on the site server.

When the site server signing certificate is installed in the local certificate store on the site server, you need to configure Configuration Manager 2007 to use it. You do this either with Setup when you are installing the site or by configuring the site for native mode after Setup is complete.

See Also


Certificate Requirements for Native Mode
Decide How to Deploy the Site Server Signing Certificate to Clients (Native Mode)
Renewing or Changing the Site Server Signing Certificate

Other Resources

Deploying the PKI Certificates Required for Native Mode