Deploying the Web Server Certificates to Site System Servers
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
The following site systems require Web server certificates when a Configuration Manager 2007 site is configured for native mode:
Management points (default management point, proxy management point, network load balanced management point, and Internet-based management point)
Standard distribution points (servers and shares) that are configured with the option Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS (required for device clients and Internet-based clients).
Software update points
State migration points
Branch distribution points do not require a Web server certificate. However, they do require a client certificate.
Deploying the Web server certificates is a two-step process:
Install the Web server certificate on the server.
Configure Internet Information Services (IIS) to use the Web server certificate.
Installing the Web Server Certificate on a Server
There are a number of ways that you can install the Web server certificates, including the following methods:
If you are using a Microsoft public key infrastructure (PKI) with an enterprise certification authority, you can create the certificates based on the Web server template and assign them to the servers using Group Policy and auto-enrollment.
If you are using a Microsoft PKI with Web enrollment that supports storing certificates into the local computer store, you can request a Web server certificate from each server by using the Web enrollment pages.
You can request the certificate from each server through Internet Information Services (IIS) and running a wizard. For example, if you are using IIS 7.0 on Windows Server 2008, select Server Certificates from the home page, and then click Create Certificate Request to create a certificate request file. If you are using IIS 6.0 on Windows Server 2003, edit the Web site properties, click the Directory Security tab, and then click Server Certificate to create an online request or a certificate request file.
You can request and retrieve the certificate using the Microsoft Certreq command-line utility.
If you can create the certificate with your certificate management tools, you can export it and import it on each server.
For information about how to specify more than one fully qualified domain name (FQDN) in the certificate Subject Alternative Name field (for example, if the site system supports intranet and Internet client connections, or is a network load balancing site system), see How to Request a Certificate With a Custom Subject Alternative Name (http://go.microsoft.com/fwlink/?LinkId=189292).
Configure IIS to Use the Web Server Certificate on a Server
When you have installed the Web server certificate, you then need to configure Internet Information Services (IIS) so that the Configuration Manager 2007 Web site uses the certificate for authentication and encryption. You can script this installation or use the Internet Information Services (IIS) Manager console.
To configure IIS to use the Web server certificate using the Internet Information Services (IIS) Manager console, perform one of the following steps, depending on the version of IIS that you are using:
For IIS 7.0 on Windows Server 2008: Expand Sites, select the Web site that is being used by Configuration Manager (Default Web Site or SMSWEB), select Edit Bindings, and then configure https to use the Web server certificate.
For IIS 6.0 on Windows Server 2003: Edit the properties of the Web site that is being used by Configuration Manager (Default Web Site or SMSWEB), and select the Web server certificate to use by clicking Server Certificate on the Directory Security tab. This launches the Web Server Certificate Wizard, which prompts you to select the Web server certificate to use.
SMSWEB is the name of the Web site if you are using a custom Web site for Configuration Manager 2007. For more information about using custom Web sites in Configuration Manager 2007, see Configuration Manager Custom Web Site Overview and How to Configure Custom Web Sites for Configuration Manager Sites.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.