PKI certificate requirements for System Center Configuration Manager

Applies to: System Center Configuration Manager (Current Branch)

The public key infrastructure (PKI) certificates that you might require for System Center Configuration Manager are listed in the following tables. This information assumes basic knowledge of PKI certificates. For step-by-step deployment guidance see Step-by-step example deployment of the PKI certificates for System Center Configuration Manager: Windows Server 2008 Certification Authority.

For more about Active Directory Certificate Services, see the following documentation:

For information about using Cryptography API: Next Generation (CNG) certificates with Configuration Manager, see CNG certificates overview.

Important

System Center Configuration Manager supports Secure Hash Algorithm 2 (SHA-2) certificates. SHA-2 certificates bring an important security advantage. Therefore, we recommend the following:

  • Issue new server and client authentication certificates that are signed with SHA-2, which includes SHA-256 and SHA-512, among others.
  • All Internet-facing services should use a SHA-2 certificate. For example, if you purchase a public certificate for use with a cloud management gateway, make sure that you purchase a SHA-2 certificate.

Effective February 14, 2017, Windows no longer trusts certain certificates signed with SHA-1. In general, we recommend that you issue new server and client authentication certificates signed with SHA-2 (which includes SHA-256 and SHA-512, among others). Additionally, we recommend that any Internet-facing services use a SHA-2 certificate. For example, if you purchase a public certificate for use with a cloud management gateway, make sure that you purchase a SHA-2 certificate."

In most cases, the change to SHA-2 certificates has no impact on operations. For more information, see Windows Enforcement of SHA1 certificates.

With the exception of client certificates that System Center Configuration Manager enrolls on mobile devices and Mac computers, certificates that Microsoft Intune automatically creates to manage mobile devices, and certificates that System Center Configuration Manager installs on AMT-based computers, you can use any PKI to create, deploy, and manage the following certificates. However, when you use Active Directory Certificate Services and certificate templates, this Microsoft PKI solution can ease the management of certificates. Use the Microsoft certificate template to use column in the following tables to identify the certificate template that most closely matches the certificate requirements. Only an enterprise certification authority that runs on the Enterprise Edition or Datacenter Edition of the server operating system, like Windows Server 2008 Enterprise and Windows Server 2008 Datacenter, can use template-based certificates.

Important

When you use an enterprise certification authority and certificate templates, do not use the Version 3 templates. These certificate templates create certificates that are incompatible with System Center Configuration Manager. Instead, use Version 2 templates by using the following instructions:

  • For a CA on Windows Server 2012: On the Compatibility tab of the certificate template properties, specify Windows Server 2003 for the Certification Authority option, and Windows XP / Server 2003 for the Certificate recipient option.
    • For a CA on Windows Server 2008: When you duplicate a certificate template, keep the default selection, Windows Server 2003 Enterprise, when you are prompted by the Duplicate Template dialog box. Do not select Windows Server 2008, Enterprise Edition.

Use the following sections to view the certificate requirements.

PKI Certificates for Servers

System Center Configuration Manager component Certificate purpose Microsoft certificate template to use Specific information in the certificate How the certificate is used in System Center Configuration Manager
Site systems that run Internet Information Services (IIS) and that are set up for HTTPS client connections:

  • Management point
  • Distribution point
  • Software update point
  • State migration point
  • Enrollment point
  • Enrollment proxy point
  • Application Catalog web service point
  • Application Catalog website point
  • ACertificate registration point
Server authentication Web Server Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1).

If the site system accepts connections from the Internet, the Subject Name or Subject Alternative Name must contain the Internet fully qualified domain name (FQDN).

If the site system accepts connections from the intranet, the Subject Name or Subject Alternative Name must contain either the intranet FQDN (recommended) or the computer's name, depending on how the site system is set up.

If the site system accepts connections from both the Internet and the intranet, both the Internet FQDN and the intranet FQDN (or computer name) must be specified by using the ampersand (&) symbol delimiter between the two names.

Note: When the software update point accepts client connections from the Internet only, the certificate must contain both the Internet FQDN and the intranet FQDN.

The SHA-2 hash algorithm is supported.

System Center Configuration Manager does not specify a maximum supported key length for this certificate. Consult your PKI and IIS documentation for any key-size related issues for this certificate.
This certificate must reside in the Personal store in the Computer certificate store.

This web server certificate is used to authenticate these servers to the client and to encrypt all data that's transferred between the client and these servers by using Secure Sockets Layer (SSL).
Cloud-based distribution point Server authentication Web Server Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1).

The Subject Name must contain a customer-defined service name and domain name in an FQDN format as the Common Name for the specific instance of the cloud-based distribution point.

The private key must be exportable.

The SHA-2 hash algorithm is supported.

Supported key lengths: 2,048 bits.
This service certificate is used to authenticate the cloud-based distribution point service to Configuration Manager clients and to encrypt all data transferred between them by using Secure Sockets Layer (SSL). This certificate must be exported in a Public Key Certificate Standard (PKCS #12) format, and the password must be known so that it can be imported when you create a cloud-based distribution point.

Note: This certificate is used in conjunction with the Windows Azure management certificate.
Site system servers that run Microsoft SQL Server Server authentication Web server Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1).

The Subject Name must contain the intranet fully qualified domain name (FQDN).

The SHA-2 hash algorithm is supported.

Maximum supported key length is 2,048 bits.
This certificate must be in the Personal store in the Computer certificate store. System Center Configuration Manager automatically copies it to the Trusted People Store for servers in the System Center Configuration Manager hierarchy that might have to establish trust with the server.

These certificates are used for server-to-server authentication.
SQL Server cluster: Site system servers that run Microsoft SQL Server Server authentication Web server Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1).

The Subject Name must contain the intranet fully qualified domain name (FQDN) of the cluster.

The private key must be exportable.

The certificate must have a validity period of at least two years when you configure System Center Configuration Manager to use the SQL Server cluster.

The SHA-2 hash algorithm is supported.

Maximum supported key length is 2,048 bits.
After you have requested and installed this certificate on one node in the cluster, export the certificate and import it to each additional node in the SQL Server cluster.

This certificate must be in the Personal store in the Computer certificate store. System Center Configuration Manager automatically copies it to the Trusted People Store for servers in the System Center Configuration Manager hierarchy that might have to establish trust with the server.

These certificates are used for server-to-server authentication.
Site system monitoring for the following site system roles:

  • Management point
  • State migration point
Client authentication Workstation Authentication Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

Computers must have a unique value in the Subject Name field or in the Subject Alternative Name field.

Note: If you are using multiple values for the Subject Alternative Name, only the first value is used.

The SHA-2 hash algorithm is supported.

Maximum supported key length is 2,048 bits.
This certificate is required on the listed site system servers, even if the System Center Configuration Manager client is not installed. This setup enables the health of these site system roles to be monitored and reported to the site.

The certificate for these site systems must reside in the Personal store of the Computer certificate store.
Servers running the System Center Configuration Manager Policy Module with the Network Device Enrollment Service role service Client authentication Workstation Authentication Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

There are no specific requirements for the certificate Subject or Subject Alternative Name (SAN). You can use the same certificate for multiple servers running the Network Device Enrollment Service.

SHA-2 and SHA-3 hash algorithms are supported.

Supported key lengths: 1,024 bits and 2,048 bits.
Site systems that have a distribution point installed Client authentication Workstation Authentication Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

There are no specific requirements for the certificate Subject or Subject Alternative Name (SAN). You can use the same certificate for multiple distribution points. However, it's a good idea to use a different certificate for each distribution point.

The private key must be exportable.

The SHA-2 hash algorithm is supported.

Maximum supported key length is 2,048 bits.
This certificate has two purposes:

  • It authenticates the distribution point to an HTTPS-enabled management point before the distribution point sends status messages.
  • When the Enable PXE support for clients distribution point option is selected, the certificate is sent to computers. If task sequences in the operating system deployment process include client actions like client policy retrieval or sending inventory information, the client computers can connect to a HTTPS-enabled management point during the deployment of the operating system.
This certificate is used for the duration of the operating system deployment process only and is not installed on the client. Because of this temporary use, the same certificate can be used for every operating system deployment if you do not want to use multiple client certificates.

This certificate must be exported in a Public Key Certificate Standard (PKCS #12) format. The password must be known so that it can be imported into the distribution point properties.

Note: The requirements for this certificate are the same as the client certificate for boot images that deploy operating systems. Because the requirements are the same, you can use the same certificate file.
Out-of-band service point AMT provisioning Web Server (modified) Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1) and the following object identifier: 2.16.840.1.113741.1.2.3.

The subject name field must contain the FQDN of the server that is hosting the out-of-band service point.

Note: An AMT provisioning certificate that you request from an external CA instead of from your own internal CA might not support the AMT provisioning object identifier, 2.16.840.1.113741.1.2.3. You can alternatively specify the following text string as an organizational unit (OU) attribute in the certificate subject name: Intel(R) Client Setup Certificate. You must use the exact text string in English, in the same case, without a trailing period, and in addition to the FQDN of the server that is hosting the out-of-band service point.

Supported key lengths: 1,024 and 2,048. For AMT 6.0 and later versions, the key length of 4,096 bits is also supported.
This certificate is in the Personal store in the Computer certificate store of the out-of-band service point site system server.

This AMT provisioning certificate is used to prepare computers for out-of-band management.

You must request this certificate from a CA that supplies AMT provisioning certificates. The BIOS extension for the Intel AMT-based computers must be set up to use the root certificate thumbprint (also referred to as the certificate hash) for this provisioning certificate.

VeriSign is a typical example of an external CA that provides AMT provisioning certificates, but you can also use your own internal CA.

Install the certificate on the server that hosts the out-of-band service point, which must be able to chain successfully to the certificate's root CA. (By default, the root CA certificate and intermediate CA certificate for VeriSign are installed when Windows installs.)
Site system server that runs the Microsoft Intune connector Client authentication Not applicable: Intune automatically creates this certificate. Enhanced Key Usage value contains Client Authentication (1.3.6.1.5.5.7.3.2).

Three custom extensions uniquely identify the customer's Intune subscription.

The key size is 2,048 bits and uses the SHA-1 hash algorithm.

Note: You cannot change these settings. This information is provided for informational purposes only.
This certificate is automatically requested and installed to the Configuration Manager database when you subscribe to Microsoft Intune. When you install the Microsoft Intune connector, this certificate is then installed on the site system server that runs the Microsoft Intune connector. It is installed in the Computer certificate store.

This certificate is used to authenticate the Configuration Manager hierarchy to Microsoft Intune by using the Microsoft Intune connector. All data that is transferred between them uses Secure Sockets Layer (SSL).

Proxy web servers for Internet-based client management

If the site supports Internet-based client management, and you are using a proxy web server by using SSL termination (bridging) for incoming Internet connections, the proxy web server has the certificate requirements listed in the following table.

Note

If you are using a proxy web server without SSL termination (tunneling), no additional certificates are required on the proxy web server.

Network infrastructure component Certificate purpose Microsoft certificate template to use Specific information in the certificate How the certificate is used in System Center Configuration Manager
Proxy web server accepting client connections over the Internet Server authentication and client authentication 1.
Web Server

2.
Workstation Authentication
Internet FQDN in the Subject Name field or in the Subject Alternative Name field. If you are using Microsoft certificate templates, the Subject Alternative Name is available with the workstation template only.

The SHA-2 hash algorithm is supported.
This certificate is used to authenticate the following servers to Internet clients and to encrypt all data transferred between the client and this server by using SSL:

  • Internet-based management point
  • Internet-based distribution point
  • Internet-based software update point
The client authentication is used to bridge client connections between the System Center Configuration Manager clients and the Internet-based site systems.

PKI certificates for clients

System Center Configuration Manager component Certificate purpose Microsoft certificate template to use Specific information in the certificate How the certificate is used in System Center Configuration Manager
Windows client computers Client authentication Workstation Authentication Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

Client computers must have a unique value in the Subject Name field or in the Subject Alternative Name field.

Note: If you are using multiple values for the Subject Alternative Name, only the first value is used.

The SHA-2 hash algorithm is supported.

Maximum supported key length is 2,048 bits.
By default, System Center Configuration Manager looks for computer certificates in the Personal store in the Computer certificate store.

Except for the software update point and the Application Catalog website point, this certificate authenticates the client to site system servers that run IIS and that are set up to use HTTPS.
Mobile device clients Client authentication Authenticated Session Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

SHA-1

Maximum supported key length is 2,048 bits.

Notes:

  • These certificates must be in Distinguished Encoding Rules (DER) encoded binary X.509 format.
  • Base64 encoded X.509 format is not supported.
This certificate authenticates the mobile device client to the site system servers that it communicates with, like management points and distribution points.
Boot images for deploying operating systems Client authentication Workstation Authentication Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

There are no specific requirements for the certificate Subject Name field or Subject Alternative Name (SAN), and you can use the same certificate for all boot mages.

The private key must be exportable.

The SHA-2 hash algorithm is supported.

Maximum supported key length is 2,048 bits.
The certificate is used if task sequences in the operating system deployment process include client actions like client policy retrieval or sending inventory information.

This certificate is used for the duration of the operating system deployment process only and is not installed on the client. Because of this temporary use, the same certificate can be used for every operating system deployment if you do not want to use multiple client certificates.

This certificate must be exported in a Public Key Certificate Standard (PKCS #12) format, and the password must be known so that it can be imported to the System Center Configuration Manager boot images.

This certificate is temporary for the task sequence and not used to install the client. When you have an environment with HTTPS only, the client must have a valid certificate for the client to communicate with the site and for the deployment to continue. The client can automatically generate a certificate when the client is joined to Active Directory, or you can install a client certificate by using another method.

Note: The requirements for this certificate are the same as the server certificate for site systems that have a distribution point installed. Because the requirements are the same, you can use the same certificate file.
Mac client computers Client authentication For System Center Configuration Manager enrollment: Authenticated Session

For certificate installation independent from System Center Configuration Manager: Workstation Authentication
Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

For System Center Configuration Manager that creates a User certificate, the certificate Subject value is automatically populated with the user name of the person who enrolls the Mac computer.

For certificate installation that does not use System Center Configuration Manager enrollment but deploys a Computer certificate independently from System Center Configuration Manager, the certificate Subject value must be unique. For example, specify the FQDN of the computer.

The Subject Alternative Name field is not supported.

The SHA-2 hash algorithm is supported.

Maximum supported key length is 2,048 bits.
This certificate authenticates the Mac client computer to the site system servers that it communicates with, like management points and distribution points.
Linux and UNIX client computers Client authentication Workstation Authentication Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

The Subject Alternative Name field is not supported.

The private key must be exportable.

SHA-2 hash algorithm is supported if the operating system of the client supports SHA-2. For more information, see the About Linux and UNIX Operating Systems That do not Support SHA-256 section in Planning for client deployment to Linux and UNIX computers in System Center Configuration Manager.

Supported key lengths: 2,048 bits.

Note: These certificates must be in Distinguished Encoding Rules (DER) encoded binary X.509 format. Base64 encoded X.509 format is not supported.
This certificate authenticates the Linus or UNIX client computer to the site system servers that it communicates with, like management points and distribution points. This certificate must be exported in a Public Key Certificate Standard (PKCS#12) format, and the password must be known so you can specify it to the client when you specify the PKI certificate.

For additional information, see the Planning for Security and Certificates for Linux and UNIX Servers section in Planning for client deployment to Linux and UNIX computers in System Center Configuration Manager.
Root certification authority (CA) certificates for the following scenarios:

  • Operating system deployment
  • Mobile device enrollment
  • RADIUS server authentication for Intel AMT-based computers
  • Client certificate authentication
Certificate chain to a trusted source Not applicable. Standard root CA certificate. The root CA certificate must be provided when clients have to chain the certificates of the communicating server to a trusted source. This applies in the following scenarios:

  • When you deploy an operating system, and task sequences run that connect the client computer to a management point that is set up to use HTTPS.
  • When you enroll a mobile device to be managed by System Center Configuration Manager.
  • When you use 802.1X authentication for AMT-based computers, and you want to specify a file for the RADIUS server's root certificate.
In addition, the root CA certificate for clients must be provided if the client certificates are issued by a different CA hierarchy than the CA hierarchy that issued the management point certificate.
Intel AMT-based computers Server authentication. Web Server (modified)

You must configure the Subject Name for Build from this Active Directory information, and then select Common name for the Subject name format.

You must grant Read and Enroll permissions to the universal security group that you specify in the out-of-band management component properties.
Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1).

The Subject Name must contain the FQDN of the AMT-based computer, which is supplied automatically from Active Directory Domain Services.
This certificate is in the nonvolatile random access memory of the management controller in the computer and is not viewable in the Windows user interface.

Each Intel AMT-based computer requests this certificate during AMT provisioning and for subsequent updates. If you remove AMT provisioning information from these computers, they revoke this certificate.

When this certificate is installed on Intel AMT-based computers, the certificate chain to the root CA is also installed. AMT-based computers cannot support CA certificates with a key length larger than 2,048 bits.

After the certificate is installed on Intel AMT-based computers, this certificate authenticates the AMT-based computers to the out-of-band service point site system server and to computers that run the out-of-band management console, and encrypts all data transferred between them by using Transport Layer Security (TLS).
Intel AMT 802.1X client certificate Client authentication Workstation Authentication

You must set up the Subject Name for Build from this Active Directory information, select Common name for the Subject name format, clear the DNS name, and then select the User principal name (UPN) for the alternative subject name.

You must grant the universal security group that you specify in the out-of-band management component properties Read and Enroll permissions to this certificate template.
Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

The subject name field must contain the FQDN of the AMT-based computer and the subject alternative name must contain the UPN.

Maximum supported key length: 2,048 bits.
This certificate is in the nonvolatile random access memory of the management controller in the computer and is not viewable in the Windows user interface.

Each Intel AMT-based computer can request this certificate during AMT provisioning, but the computer does not revoke this certificate when its AMT provisioning information is removed.

After the certificate is installed on AMT-based computers, this certificate authenticates the AMT-based computers to the RADIUS server so that it can then be authorized for network access.
Mobile devices that are enrolled by Microsoft Intune Client authentication Not applicable: Intune automatically creates this certificate. Enhanced Key Usage value contains Client Authentication (1.3.6.1.5.5.7.3.2).

Three custom extensions uniquely identify the customer Intune subscription.

Users can supply the certificate Subject value during enrollment. However, Intune does not use this value to identify the device.

The key size is 2,048 bits and uses the SHA-1 hash algorithm.

Note: You cannot change these settings. This information is provided for informational purposes only.
This certificate is automatically requested and installed when authenticated users enroll their mobiles devices by using Microsoft Intune. The resulting certificate on the device resides in the Computer store and authenticates the enrolled mobile device to Intune, so that it can then be managed.

Because of the custom extensions in the certificate, authentication is restricted to the Intune subscription that has been established for the organization.