How to Export Certificates For Use With Operating System Deployment
When the Configuration Manager 2007 site is operating in native mode, operating system deployments that require communication with the management point must be configured to use a public key infrastructure (PKI) certificate. For more information about the certificate requirements for operating system deployment, see About Native Mode Certificates and Operating System Deployment.
To configure the operating system deployments with the required certificate, import a Public Key Certificate Standard (PKCS #12) file. The creation of this file is external to Configuration Manager 2007; however, you can use the following procedures to create this file.
Before following these procedures, the certificate must already be deployed to a computer. The certificate requirements are as follows:
Intended use must include client authentication
The private key must be allowed to be exported
If you need information about how to deploy computer certificates, follow the guidance in the following topic: Deploying the Client Computer Certificates to Clients and the Management Point. This same topic can be used for more information about how to deploy computers with their own client computer certificate that will be needed for Configuration Manager native mode communication after the operating system deployment is complete.
重要
The computer certificate required for operating system deployments is not the same computer certificate that will be required for Configuration Manager 2007 clients in a native mode site.
Considerations for creating and deploying the certificate for operating system deployments:
If you are using a Microsoft PKI solution, and using an Enterprise Edition of Windows Server 2003 Certificate Services with templates for auto enrollment, you can use either the computer template or the workstation template. However, you must modify the template (duplicate it, and modify the copy) so that the option Allow Private key to be exported is enabled on the Request Handling tab of the certificate template.
Unlike most computer certificates, this certificate is not restricted to or owned by a specific computer, but is shared temporarily by all computers that are targeted with operating system deployments in the native mode site. Because of this behavior, consider creating the certificate with a unique attribute for identification (such as custom Subject Name or Subject Alternative Name), and use it only for operating system deployments. Should the certificate ever become compromised, it can then be easily identified and revoked without affecting other computers.
Consider having a longer than usual validity period to reduce the administrative overheads of reconfiguring operating system deployments in line with the certificate expiry date.
When the certificate is deployed to a computer, you can then use the following procedures to export the certificate so that you can use it with operating system deployments. If you are using a PXE service point, import the exported certificate as part of the database configuration properties. If you are creating boot media, import the exported certificate on the Security page of the Task Sequence Media wizard.
To export a certificate for use with operating system deployment - from computers running Windows Vista:
On the Windows Vista computer that has the certificate installed, log in as a local administrator, click Start, type mmc into the Search box, and then press Enter.
In the empty console, click File and then click Add/Remove Snap-in.
In the Add/Remove Snap-in dialog box, select Certificates and click Add.
On the Certificates snap-in page, select Computer account and then click Next.
On the Select Computer dialog box, ensure the option Local computer: (the computer this console is running on) is selected and then click Finish.
To close the Add Standalone Snap-in dialog box, click OK.
In the console, double-click Certificates (Local Computer).
In the console, expand Personal.
Locate the certificate that you need for use with operating system deployment deployments.
Right-click the certificate you require, click All Tasks, and then click Export to launch the Certificate Export Wizard.
On the Certificate Export Wizard Welcome page, click Next.
On the Export Private Key page, select Yes, export the private key, and then click Next.
注意
If this option is not available, the certificate has been created without the option to export the private key. In this scenario, you cannot export the certificate in the required format.
On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next.
On the Export File Format page, ensure that the following option is selected: Personal Information Exchange - PKCS #12 (.PFX).
注意
Optionally, select Delete the private key if the export is successful which will ensure that the certificate cannot be used on the computer after you have exported it. This will help to ensure that the certificate is used only for operating system deployments. Alternatively, you can manually delete the certificate on the computer after the export procedure is complete.
On the File to Export page, specify the name of the file that you want to export, and then click Next.
To close the wizard, click Finish in the Certificate Export Wizard dialog box.
Store the file securely and ensure that you can access it from the Configuration Manager console.
To export a certificate for use with operating system deployment - from computers running Windows XP Professional, or Windows Server 2003:
On the Windows XP Professional or Windows Server 2003 computer that has the certificate installed, click Start, click Run, type MMC in the Run dialog box, and then click OK.
In the empty console, click File and then click Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, click Add.
Select Certificates from Available snap-ins, and then click Add.
In the Certificates snap-in dialog box, click Computer account, and then click Next.
In the Select Computer dialog box, ensure that the option Local computer: (the computer this console is running on) is selected, and then click Finish.
In the Add or Remove Snap-ins dialog box, click OK.
In the console, expand Certificates (Local Computer).
Expand Personal, and then click Certificates.
In the results pane, locate the certificate that you need for operating system deployment deployments.
Right-click the certificate you require, click All Tasks, and then click Export.
In the Certificate Export Wizard, click Next.
On the Export Private Key page, select Yes, export the private key, and then click Next.
注意
If this option is not available, the certificate has been created without the option to export the private key. In this scenario, you cannot export the certificate in the required format.
On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next.
On the Export File Format page, ensure that the following option is selected: Personal Information Exchange - PKCS #12 (.PFX).
注意
Optionally, select Delete the private key if the export is successful which will ensure that the certificate cannot be used on the computer after you have exported it. This will help to ensure that the certificate is used only for operating system deployments. Alternatively, you can manually delete the certificate on the computer after the export procedure is complete.
On the File to Export page, specify the name of the file you want to export and click Next.
To close the wizard, click OK in the Certificate Export Wizard dialog box.
Store the file securely and ensure that you can access it from the Configuration Manager console.
See Also
Tasks
How to Prepare the Root Certification Authority Certificates for Operating System Deployment Clients
Concepts
Configuration Manager Site Modes
About Native Mode Certificates and Operating System Deployment
Deploying the Client Computer Certificates to Clients and the Management Point