Certificate Requirements for Native Mode
The public key infrastructure (PKI) certificates required for a Configuration Manager 2007 site to run in native mode are listed in the following tables. This information assumes basic knowledge of PKI certificates. For more information about PKI, use the PKI references and deployment topics listed in Deploying the PKI Certificates Required for Native Mode.
When you are using a Microsoft PKI solution, the use of certificate templates can ease the management of these certificates. Template-based certificates can be issued only by an enterprise certification authority running on the Enterprise Edition or on the Datacenter Edition of Windows Server 2003 or Windows Server 2008. However, do not use version 3 templates (Windows Server 2008, Enterprise Edition). These certificate templates create certificates that are not compatible with Configuration Manager. To see how certificate templates can be used for deploying the certificates required by Configuration Manager in native mode, see the following:
重要
The certificates must be in place before the site can operate in native mode. Configuration Manager will attempt to validate the site server signing certificate when native mode is selected during Setup or when the site is migrated to native mode after Setup. However, Configuration Manager is unable to validate the other certificates that are required for native mode operation.
You can manually run the Configuration Manager Native Mode Readiness Tool utility to verify whether client computers are ready for native mode. For more information about this tool, see How to Determine Whether Client Computers Are Ready for Native Mode.Certificates Required for Native Mode
Configuration Manager Component
Certificate Use
Microsoft Certificate Template to Use
Specific Information in Certificate
How the Certificate Is Used in Configuration Manager
Primary site server
Document signing
There is no default template for document signing. You can use any version 2 (v2) template, removing the intended usages if these are not required and adding the document-signing capability.
Enhanced Key Usage value must contain Document Signing (1.3.6.1.4.1.311.10.3.12).
The Subject Name field must contain the following string: The site code of this site server is <XXX>. Replace <XXX> with the site code of the site server.
.gif "Bb680733.note(zh-tw,TechNet.10).gif")
Note
This exact text string in English must be used, in the same case, without a trailing period, and the site code must be specified at the end of the string in the same case as it appears in the Configuration Manager console.
Maximum supported key length is 8096 bits.
This certificate must reside in the Personal store in the Computer certificate store.
The site server signing certificate signs the policies that clients download from their management point so that clients know the policies originate from their assigned site.
This certificate is not required on secondary site servers.
Clients must have a copy of this certificate before they can accept policies signed with it. For more information, see Decide How to Deploy the Site Server Signing Certificate to Clients (Native Mode).
Site system roles:
Management point
Proxy management point
Distribution point
Software update point
State migration point
Server authentication
Note
Management points and site migration points also require a certificate with client authentication capability, as detailed in the following row.
Web server
Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1).
If the site system accepts connections from the Internet, the Subject Name or Subject Alternative Name must contain the Internet fully qualified domain name (FQDN).
If the site system accepts connections from the intranet, the Subject Name or Subject Alternative Name must contain either the intranet FQDN (recommended) or the computer's NetBIOS name, depending on how the site system is configured.
If the site system accepts connections from both the Internet and the intranet, both the Internet FQDN and the intranet FQDN (or computer NetBIOS name) must be specified using the ampersand (&) symbol delimiter between the two names.
.gif "Bb680733.Important(zh-tw,TechNet.10).gif")
Important
When the software update point accepts client connections from the Internet only, the certificate must contain both the Internet FQDN and the intranet FQDN.
Configuration Manager does not specify a maximum supported key length for this certificate. Consult your PKI and IIS documentation for any key-size–related issues for this certificate.
This certificate must reside in the Personal store in the Computer certificate store.
This Web server certificate is used to authenticate these servers to the client and to encrypt all data transferred between the client and these servers using Secure Sockets Layer (SSL).
Client computers
Client authentication
Computer or Workstation
Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).
Client computers must have a unique value in the Subject Name field or in the Subject Alternative Name field (if you are using Microsoft certificate templates, the Subject Alternative Name is available with the workstation template only).
Note
If you are using multiple values for the Subject Alternative Name, only the first will be used.
Maximum supported key length is 2048 bits.
By default, Configuration Manager looks for computer certificates in the Personal store in the Computer certificate store. To change this default, see How to Specify the Client Certificate Store.
This certificate authenticates the client to the following servers:
Management point
Proxy management point
Distribution point
Software update point
State migration point
This certificate is also required on management points and state migration points, even if the Configuration Manager 2007 client is not installed on these site systems, so that the health of these roles can be monitored and reported to the site server. This certificate for these site systems must reside in the Personal store of the Computer certificate store.
Mobile device clients
Client Authentication
Authenticated session
Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).
Maximum supported key length is 2048 bits.
Important
These certificates must be in Distinguished Encoding Rules (DER) encoded binary X.509 format. Base64 encoded X.509 format is not supported.
This certificate must reside in the Personal store.
This certificate authenticates the mobile device client to the following servers:
Mobile device management point
Mobile device proxy management point
Distribution point
Components Requiring Additional Certificates for Native Mode
You will need additional certificates if the native mode site supports the following optional components:
Network load balancing management points or network load balancing software update points.
Proxy servers for Internet-based client management.
The operating system deployment feature.
Mobile devices
The following sections provide information about the certificates that are required for each of these additional components.
Network Load Balancing Management Points or Network Load Balancing Software Update Points
If the site supports a network load balancing management point or a network load balancing software update point, there are additional certificate requirements, as listed in the following table.
| Configuration Manager Component | Certificate Use | Microsoft Certificate Template to Use | Specific Information in Certificate | How the Certificate Is Used in Configuration Manager |
|---|---|---|---|---|
Network Load Balancing (NLB) cluster for a management point or a software update point |
Server authentication |
Web server |
|
This certificate is used to authenticate the network load balancing management point or the network load balancing software update point to the client, and to encrypt all data transferred between the client and these servers using SSL. |
Proxy Web Servers for Internet-Based Client Management
If the site supports Internet-based client management and you are using a proxy Web server with SSL termination (bridging) for incoming Internet connections, the proxy Web server has the certificate requirements listed in the following table.
注意
If you are using a proxy Web server without SSL termination (tunneling), no additional certificates are required on the proxy Web server.
For more information about using proxy Web servers for Internet-based client management, see Determine Requirements for Proxy Web Servers to Use With Internet-Based Client Management.
| Network Infrastructure Component | Certificate Use | Microsoft Certificate Template to Use | Specific Information in Certificate | How the Certificate Is Used in Configuration Manager |
|---|---|---|---|---|
Proxy Web server accepting client connections over the Internet |
Server authentication and client authentication |
|
Internet FQDN in the Subject Name field or in the Subject Alternative Name field (if you are using Microsoft certificate templates, the Subject Alternative Name is available with the workstation template only). |
This certificate is used to authenticate the following servers to Internet clients and to encrypt all data transferred between the client and this server using SSL:
The client authentication is used to bridge client connections between the Configuration Manager 2007 clients and the Internet-based site systems. |
Operating System Deployment Feature
If the site supports the operating system deployment feature, the certificates listed in the following table are required in addition to the server certificate and the client certificate required for the state migration point.
For more information about the certificates related to operating system deployment in a native mode site, see How to Manage Native Mode Certificates and Operating System Deployment.
| Configuration Manager Component | Certificate Use | Microsoft Certificate Template to Use | Specific Information in Certificate | How the Certificate Is Used in Configuration Manager |
|---|---|---|---|---|
Operating system client deployment, if client certificates are required to complete the deployment. |
Client authentication |
Computer or Workstation |
Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2). Unique value in the Subject Name or in the Subject Alternative Name field (if you are using Microsoft certificate templates, the Subject Alternative Name is available with the workstation template only). Maximum supported key length is 2048 bits. |
The certificate is used if task sequences in the operating system deployment process include client actions such as client policy retrieval or sending inventory information. The client certificate must be exported in a Public Key Certificate Standard (PKCS #12) format, and the password must be known so that it can be imported into Configuration Manager boot images or supplied by the PXE service point. These certificates are used for the duration of the operating system deployment process only and are not installed on the client. Because of this temporary use, the same certificate can be used for every operating system deployment if you do not want to use multiple client certificates. PKCS #12 files have a .PFX extension. For more information: |
Root certification authority certificates for operating system deployment clients. |
Root authority for the site server's certificate and management point's server certificate. |
Not applicable. |
Standard root certification authority certificate. |
The root certification authority certificate must be provided so that the client can communicate with the management point to complete the operating system deployment. Each primary site in native mode that uses the operating system deployment feature must be configured with root CA certificates. However, secondary sites will automatically use the root certification authority certificates specified on their primary site. For more information: |
Mobile Devices
For additional information about the certificates required for mobile devices, see About Native Mode Certificates for Mobile Device Clients.
Certificate Deployment Information
Refer to the following section for guidance on how to install the PKI certificates required for Configuration Manager 2007 native mode:
Use the following administrator workflow and checklist to guide you through the PKI deployment steps for the PKI certificates required for Configuration Manager 2007 native mode:
Administrator Workflow: Deploying the PKI Requirements for Native Mode
Administrator Checklist: Deploying the PKI Requirements for Native Mode
When the PKI certificates are deployed and you are ready to migrate a Configuration Manager 2007 mixed mode site to native mode, use the following administrator workflow and checklist:
See Also
Tasks
How to Determine Whether Client Computers Are Ready for Native Mode
How to Identify Client Certificate Issues in Native Mode
How to Enable or Disable Certificate Revocation Checking (CRL) on Clients
Configuring DNS for Configuration Manager Site System Roles
Concepts
Benefits of Using Native Mode
Determine If You Can Use Your Existing PKI (Native Mode)
Renewing or Changing the Site Server Signing Certificate
Determine If You Need to Enable Certificate Revocation Checking (CRL) On Clients (Native Mode)
Determine If You Will Use FQDN Server Names
Determine If You Need to Configure a Certificate Trust List (CTL) with IIS (Native Mode)