How to Export the Site Server Signing Certificate for Configuration Manager Client Installation
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
If you need to install Configuration Manager 2007 clients with a copy of the native mode site server signing certificate because they cannot securely retrieve it from Active Directory Domain Services, use the following procedure to export the site server signing certificate so that it can be referenced with the CCMSETUP client.msi property, SMSSIGNCERT*=<Full path and filename.cer>*.
For more information about whether you need to use the SMSSIGNCERT property, see Decide How to Deploy the Site Server Signing Certificate to Clients (Native Mode).
For more information about installing clients with CCMSetup properties, see About Configuration Manager Client Installation Properties.
Before performing this procedure, ensure that the site server signing certificate is already deployed to the site server. For more information, see Deploying the Site Server Signing Certificate to the Site Server.
To export a copy of the site server signing certificate so that it can be included during client installation
On the Windows Server 2003 computer that is the Configuration Manager site server, click Start, click Run, type MMC in the Run dialog box, and then click OK.
In the empty console, click File, and then click Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, click Add.
Select Certificates from Available snap-ins, and then click Add.
In the Certificates snap-in dialog box, click Computer account, and then click Next.
In the Select Computer dialog box, ensure that the option Local computer: (the computer this console is running on) is selected, and then click Finish.
In the Add or Remove Snap-ins dialog box, click OK.
In the console, expand Certificates (Local Computer).
Expand Personal, and then click Certificates.
In the results pane, locate the site server signing certificate. You can identify this certificate by using the following display columns:
The Issued To field will display The site code of this site server is <site_code>.
The Intended Purposes column will display Document Signing.
Right-click the site server signing certificate, click All Tasks, and then click Export.
In the Certificate Export Wizard, click Next.
On the Export Private Key page, ensure that No, do not export the private key is selected, and then click Next.
On the Export File Format page, ensure that DER encoded binary X.509 (.CER) is selected, and then click Next.
On the File to Export page, specify the path and file into which you will export a copy of the certificate (there is no need to specify the .cer extension, which will be added automatically), and then click Next.
To close the wizard, click Finish in the Certificate Export Wizard, and then click OK to acknowledge the successful export completion.
Store the file securely, and ensure that you can access it securely when you need to specify the SMSSIGNCERT parameter during client installation.
Do not access the file using a file share, unless the connection uses IPsec with encryption. Connections to file shares use server message blocks (SMB), which does not encrypt data communication.
Administrator Checklist: Deploying the PKI Requirements for Native Mode
Certificate Requirements for Native Mode
Configuration Manager Site Modes
Deploying the Client Computer Certificates to Clients and the Management Point
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.