Manual Certificate Procedures

  • Article

2/9/2009

Use the following information to help you create System Center Mobile Device Manager certificates manually. This includes the following topics:

  • Certificate Templates in MDM (Overview)
  • Creating MDM Certificate Templates
  • Issuing Certificates by Using the MDM Templates
  • Create and Install Certificates from the SCMDMGCM Template
  • Updating Certificate Template Object Identifiers (known as OIDs) in the Active Directory service connection points (SCPs)

For best results, all certificates should chain to the same company certification authority root.

Certificate Templates in MDM (Overview)

During MDM installation, Setup creates certificate templates automatically by using the /createtemplates parameter in the Active Directory Configuration Tool (ADConfig). However, if you install certificates manually, you must create the certificate templates.

Important

If your organization chooses to install MDM certificates manually, you should not perform Active Directory certificate configuration by using the /createtemplates and /enabletemplates parameters in ADConfig. If you install certificates manually, you must follow the steps in Step 1c: Granting Certification Authority Permission to Revoke a Device Enrollment (Optional). We strongly recommend that you perform the automated certificate process and not the manual process.

The following shows the MDM Web sites and services that require secure communication. You must create your own certificate templates. The following tables show examples of the certificate templates, and certificates, that MDM creates.

MDM Device Management Server

MDM Web site/service MDM certificate template

Administration Web site

SCMDMWebServer (<instance name>)

Device Management Web site

SCMDMWebServer (<instance name>)

GCM Service

SCMDMGCM (<instance name>)

MDM Enrollment Server

MDM Web site MDM certificate template

Enrollment Web site

SCMDMWebServer (<instance name>)

Administration Web site

 

SCMDMWebServer (<instance name>)

MDM Gateway Server

MDM Web site MDM certificate template

Gateway Web site

SCMDMWebServer (<instance name>)

Windows Mobile Device

MDM devices MDM certificate template

Device authentication

SCMDMMobileDevice (<instance name>)

The following provides general information about MDM certificate templates.

SCMDMGCM (<Instance Name>) Template

Property Value

Validity period

Two years

Renewal period

Six weeks

Request minimum key size

1024 for signature and encryption

Configuration service provider

Microsoft DSS and Diffie-Hellman (D-H) SChannel Cryptographic Provider and Microsoft RSA SChannel Cryptographic Provider

Subject Name

Supply in the request

Extended key usage (EKU) and application policies

Client authentication, 1.3.6.1.4.1.311.65.1.1 (specific to MDM MDM GCM client authentication)

Key usage

Digital signature: Enable key exchange only with key encryption

SCMDMDeviceManagementServers and SCMDMServerAdmins security permission

Enroll

Authenticated users security permission

Read

Domain Administrator, enterprise administrator security permission

Full control

SCMDMWebServer (<Instance Name>) Template

Property Value

Validity period

Two years

Renewal period

Six weeks

Request minimum key size

1024 for signature and encryption

Configuration service provider

Microsoft D-H SChannel Cryptographic Provider and Microsoft RSA SChannel Cryptographic Provider

Subject name

Supply in the request

EKU and application policies

Server authentication

Key usage

Digital signature: Enable key exchange only with key encryption

SCMDMServerAdmins security permission

Enroll

Authenticated users security permission

Read

Domain Administrator, enterprise administrator security permission

Full control

SCMDMMobileDevice (<Instance Name>) Template

Property Value

Validity period

One year

Renewal period

Six weeks

Publish certificate to

Active Directory

Request minimum key size

1024 for signature and encryption

Configuration service provider

Microsoft RSA SChannel Cryptographic Provider

Subject name build from Active Directory

Subject = common name, ASN = DNS name

EKU and application policies

Client authentication, 1.3.6.1.4.1.311.65.2.1 (specific to MDM device client authentication)

Key usage

Digital signature: Enable key exchange only with key encryption

SCMDMEnrolledDevices security permission

Enroll

Authenticated users security permission

Read

Domain Administrator, enterprise administrator security permission:

Full control

Creating MDM Certificate Templates

The following procedures are necessary to create the certificates for MDM deployment. This information is specific to MDM certificate templates and Web services that require certificates. Once you complete this section, you must perform the procedures in the section Updating Certificate Template Object Identifiers (OIDs) in the Active Directory service connection points (SCPs) at the end of this topic.

Important

When you manually create MDM certificate templates, the MDM instance name must be appended to the template name. For example: SCMDMGCM (NWTRADERS) There must be a space in between the template name and the parenthesized instance name. Again there are three MDM templates that can be used in MDM 2008 SP1:

  • SCMDMWebServer (<instance name>)
  • SCMDMMobileDevice (<instance name>)
  • SCMDMGCM (<instance name>)

Certificate Templates

You use the SCMDMWebServer (<instance name>) and SCMDMMobileDevice (<instance name>) templates to create certificates for MDM Web sites and devices, respectively, and the SCMDMGCM (<instance name>) template for the Gateway Central Management (GCM) service. These templates are created when you run AdConfig together with the /createtemplates parameter. During the installation process for each MDM server role, the certificates generate and install automatically. You can also create these certificates and templates manually as detailed in the following section. As soon as they are created, you must issue the MDM certificate templates.

Important

You must duplicate the MDM certificate templates from other preexisting templates in the Certification Authority console, as shown in the following:

To create a certificate template

  1. On the certification authority server, in Administrative Tools, open the Certification Authority console.

  2. On the Certification Authority page, in the navigation pane, right-click Certificate Templates, and then select Manage.

  3. Create your certificate template by using the information in the section Certificate Templates in MDM (Overview) for SCMDMGCM (<instance name>), SCMDMWebServer (<instance name>), and SCMDMMobileDevice (<instance name>) certificate templates.

To issue a certificate template

  1. On the certification authority server, in Administrative Tools, open the Certification Authority console.

  2. Right-click Certificate Templates, choose New, and then choose Certificate Template to Issue.

  3. Select the MDM certificate template and then choose OK.

    Note

    You must repeat these steps for each MDM certificate template: SCMDMGCM (<instance name>), SCMDMWebServer (<instance name>), and SCMDMMobileDevice (<instance name>).

Issuing Certificates by Using MDM Templates

During Setup, MDM Setup requests and installs certificates from a certification authority. You can also create these certificates manually. The following require that you install a certificate for MDM:

  • Enrollment Server External Web Site Certificate
  • Enrollment Server Administration Web Site Certificate
  • Device Management Server Web Site Certificate
  • Device Management Server Administration Web Site Certificate
  • Device Management Gateway Central Management (GCM) Certificate
  • Gateway Server Web Site Certificate
  • Mobile Device Certificate

MDM Enrollment Server and MDM Device Management Server Only

The SCMDMWebServer <instance name> template will let an administrator create certificates for the following MDM IIS 6.0 Web sites:

MDM Device Management Server

Web site

Virtual Directory in IIS

Subject name

Device Management Server Web site certificate

MobileDeviceManager

MDM Device Management Server or load balancer FQDN, for example, dm.contoso.com

Device Management Server Administration Web site certificate

MobileDeviceManagerAdmin

MDM Device Management Server or load balancer FQDN, for example, dm.contoso.com

MDM Enrollment Server

Web site

Virtual Directory in IIS

Subject name

Enrollment Server External Web site certificate

Enrollment

External enrollment server or load balancer FQDN, for example, mobileenroll.contoso.com

Enrollment Server Administration Web site certificate

EnrollmentAdmin

Internal enrollment server or load balancer FQDN, for example, es.contoso.com

Create the IIS Certificate for an MDM Web Site

The procedures to create and install the certificates are the same for all Web sites except that each Web site will use a different common name and a different port configuration.

Important

During MDM Enrollment Server and MDM Device Management Server Setup, the administrator supplies the ports to use for the Enrollment Server Administration Web site and the Device Management Server Administration Web sites. The ports that are used will be required again for the following procedures. Follow these steps to install certificates for MDM Enrollment Server and MDM Device Management Server.

The following procedure provides one way to create a certificate for the MDM Web sites. This procedure does not require the SCMDMWebServer (<instance name>) template. MDM Setup requires the templates to create and bind the correct certificates to the Enrollment and Device Management Web sites. Setup does this automatically, without requiring administrator intervention. When you perform the steps manually, the standard Web Server template will be used. Alternatively, you can complete this process when you access the online certification authority by going to the Web site, https://[CAServerName]/certsrv, and then select the SCMDMWebServer (<instance name>) template.

To create and store an IIS certificate for an MDM Web site

  1. On MDM Enrollment Server or MDM Device Management Server, on the Start menu, choose Administrative Tools, and then choose Internet Information Services (IIS) Manager.

  2. On the IIS console, expand the server node, and then expand Web Sites. Right-click the virtual directory for the certificate that you want to install and then select Properties.

    Important

    Again, reference the previous table that lists the Web sites and virtual directories when you make this selection. The selection is Admin, Enrollment, EnrollmentAdminService, or DM.

  3. The site Properties dialog box appears. Choose the Directory Security tab.

  4. On the Directory Security tab, choose Server Certificate. The Welcome to the Web Server Certificate Wizard appears. Choose Next.

  5. On the Server Certificate page, select Create a new certificate, and then choose Next.

  6. Choose Send the request immediately to an online certification authority, and then choose Next.

  7. On the Name and Security Settings page, type a name for the certificate, and then choose Next.

  8. On the Organization Information page, type your company name and organization.

  9. On the Your Site’s Common Name page, type the FQDN of the server or the load balancer.

  10. Choose Next.

  11. On the Geographical Information page, choose the Country/Region, the State/province, and the City/locality, and then choose Next.

  12. On the SSL Port page, in the SSL port this web site should use section, type the SSL port to use for the virtual directory. It is important to choose a unique SSL port for each virtual directory if there is the possibility of interference with another Web service.

  13. On the Choose a Certification Authority page, in the Certification authorities section, select the name of the certification authority to use, and then choose Next.

  14. In the Certificate Request Submission dialog box, review the information, and then choose Next.

  15. When the certificate process is complete, a notification message appears. Choose Finish.

Note

Managed devices and MDM Enrollment Server must share a common root certification authority; they cannot chain to different root certification authorities.

Create and Install Certificates from the SCMDMGCM Template

The MDM GCM service resides on MDM Device Management Server and helps make sure that the communication between MDM Device Management Server and MDM Gateway Server is more secure. The procedures to create this certificate differ because this certificate is for a service instead of a Web site. The SCMDMGCM (<instance name>) template provides this certificate to MDM Device Management Server.

Important

For best results, the same certification authority must issue both the MDM Gateway Server certificate and the MDM GCM certificate. Follow these steps to create the certificate:

To create and install the GCM certificate

  1. On MDM Device Management Server, open Internet Explorer. In the Address bar, type https://[yourCAserver]/certsrv where yourCAserver is the name or IP address of the certification authority.

  2. Select Request a Certificate, and then select Advanced Certificate Request.

  3. Select Create and Submit a Request to this CA.

  4. On the Advanced Certificate Request page, in the Certificate Template section, select SCMDMGCM (<Instance Name>) from the list.

  5. Type the FQDN of the MDM Device Management Server for Name.

  6. Select the Store certificate in the local computer certificate store check box.

  7. Choose Submit.

  8. If the Potential Scripting Violation page appears, choose Yes.

  9. On the Certificate Issued page, select Install this certificate. If the Potential Scripting Violation page appears, choose Yes.

  10. The Certificate Installed page appears. Confirm the installation and then close Internet Explorer.

Provide Network Service Permissions to the Certificate

The MDM GCM service on MDM Device Management Server must have network permissions on the certificate to use it for more secure communication with MDM Gateway Server. Follow these steps immediately after you complete the previous steps.

To provide network service permissions to the certificate

  1. On MDM Device Management Server, open a Command Prompt window.

  2. Move to the %SystemDrive%:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys directory.

  3. Type dir /as /od, and then press ENTER. A list of private keys appears in ascending date order with the most recent key appearing last. Copy this string to Notepad for future reference. The format should resemble the following: 8aeda5eb81555f14f8f9960745b5a40d_38f7de48-5ee9-452d-8a5a-92789d7110b1.

    Important

    You only have to copy the machine key if the MDM GCM certificate was the last certificate created. Alternatively, to find the private key of a certificate, build the sample project at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=103625.

  4. In the %SystemDrive%:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys directory, run the following command:

    cacls “C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\<hash>” /E /G Network:R

    Note

    This sample assumes that [C:] is the system drive label for your computer. <hash> is the hash key from Step 3.

  5. Close the Command Prompt window.

Updating Certificate Template Object Identifiers (OIDs) in the Active Directory Service Connection Points (SCPs)

This section shows you how to update the certificate template object identifiers in the Active Directory service connection points (SCPs). You must follow these steps if you are manually provisioning certificates; otherwise, MDM will not allow devices into the system. Furthermore, these procedures are required if you manually change certificate templates outside of running ADConfig, or if you need to add or remove templates to the list of templates.

Note

The following procedures must be completed after the MDM Enrollment Server, the MDM Device Management Server, and the MDM Administrator Tools have been deployed. These components must be installed before you use ADConfig to create the certificate templates, or if you manually create the certificate templates as detailed in this topic.

The following procedures instruct you on how to:

  • Obtain a certificate template object identifier.
  • Modify an MDM SCP object identifier list.
  • Change an existing SCP object identifier value (Option 1)
  • Remove an SCP object identifier value (Option 2)
  • Add an object identifier value (Option 3)
  • Propagate the object identifiers to the MDM Gateway Server.

The procedures marked as optional require you to choose the appropriate action to be performed. During this process, you will need a low-level Active Directory Editor, such as Active Directory Service Interfaces (ADSI). For more information about ADSI, see Adsiedit Overview on the Microsoft TechNet Web site:

https://go.microsoft.com/fwlink/?LinkId=105659

Caution   If you modify Active Directory with a low-level editor such as ADSIEdit, you can cause problems, such as serious system errors, with your Active Directory structure or environment. We cannot guarantee that these errors can be resolved. Modify Active Directory at your own risk.

To obtain a certificate template object identifier

  1. On the certification authority server, in Administrative Tools, open the Certification Authority console.

  2. On the Certification Authority page, in the navigation pane, right-click Certificate Templates, and then select Manage.

  3. Right click on the desired template and choose Properties.

  4. Under the Extensions tab, select Certificate Template Information.

  5. Copy the numeric object identifier from the description box. An object identifier includes a series of numbers such as the following: 1.3.6.1.4.1.311.21.8….

To modify an MDM SCP object identifier list

  1. Open ADSIEdit.

  2. Expand the domain in which you first ran ADConfig.

  3. Expand CN=System.

  4. Expand CN=SCMDM. MDM SCPs for all instances in that domain are listed.

  5. Right-click the instance for which you want to modify the SCP information. For example, CN=Instance1.

  6. Select Properties.

  7. In the CN=<Instance Name> Properties dialog box, select Show only attributes that have values.

  8. Locate and then select the keywords attribute.

  9. Choose Edit to view the current values for the MDM Device Management Server SCP.

Option 1: To change an existing SCP object identifier value

  1. In the Multi-valued String Editor dialog box, select the object identifier value that you want to modify, and then choose Remove.

  2. Modify the entry but do not change the gcmoid=, webserveroid=, or **deviceoid=**keyword names.  For example: deviceoid=<object identifier value>.

  3. Choose Add. The modified entry appears in the Values list.

  4. Choose OK twice to close the editor.

  5. Continue with the steps under the procedure To propagate the certificate template object identifiers to the MDM Gateway Server below.

Option 2: To remove an SCP object identifier value

  1. In the Multi-valued String Editor dialog box, select the object identifier value that you want to remove, and then choose Remove.

  2. Choose OK twice to close the editor.

  3. Continue with the steps under the procedure To propagate the certificate template object identifiers to the MDM Gateway Server below.

Option 3: To add an object identifier value

  1. In the Multi-valued String Editor dialog box, type one of the following object identifier types:: gcmoid, deviceoid, or webserveroid.

  2. Type an equals sign (=).

  3. Type the entire template object identifier for the template object identifier that you want to access the MDM system.

    Note

    The final entry should look something like deviceoid=<object identifier value>.

  4. Choose OK twice to close the editor.

  5. Continue with the steps under the procedure To propagate the certificate template object identifiers to the MDM Gateway Server below.

To propagate the certificate template object identifiers to the MDM Gateway Server

  1. For this procedure, make sure that at least one MDM Device Management Server is installed for this instance and is running when applying the global gateway configuration.

  2. On a computer or server that has MDM Console, choose Start, choose All Programs, choose Microsoft System Center Mobile Device Manager, and then choose Mobile Device Manager Shell.

  3. In MDM Shell, you must select the appropriate instance of MDM when prompted. Or set the instance explicitly using the following cmdlet:

    Set-MDMCurrentInstance <InstanceName>

  4. In MDM Shell, type the following cmdlet group and press Enter:

    Get-MDMGlobalGatewayConfig | Set-MDMGlobalGatewayConfig