In this post we will see the steps for deploying the client certificate for distribution points. This is one of the posts of Deploy

PKI Certificates for SCCM 2012 R2 Step by Step Guide. In the previous post we understood more about PKI certificate

requirements, deploying web server certificate for site systems that run IIS, deploying client certificates for windows

computers. The next step is to deploy the client certificate for distribution points.

This certificate server two purposes. The certificate is used to authenticate the distribution point to an HTTPS-enabled

management point before the distribution point sends status messages. When the Enable PXE support for clients

distribution point option is selected, the certificate is sent to computers that PXE boot so that they can connect to a HTTPS-

enabled management point during the deployment of the operating system. You can log in with a root domain

administrator account or an enterprise domain administrator account and use this account for all procedures in this

example deployment.

This certificate deployment has the following procedures:

1. Creating and Issuing a Custom Workstation Authentication Certificate Template on the Certification Authority2. Requesting the Custom Workstation Authentication Certificate3. Exporting the Client Certificate for Distribution Points

Creating and Issuing a Custom Workstation AuthenticationCertificate Template on the Certification AuthorityOn the member server that is running the Certification Authority console, right-click Certificate Templates, and then click

Manage to load the Certificate Templates management console.

In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name,

and then click Duplicate Template.

In the Duplicate Template dialog box, ensure that Windows 2003 Server is selected.

In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client

authentication certificate for distribution points, such as SCCM Client Distribution Point Certificate.

Click the Request Handling tab, and select Allow private key to be exported.

Click the Security tab, and remove the Enroll permission from the Enterprise Admins security group.

Click Add, enter SCCM IIS Servers in the text box, and then click OK. Select the Enroll permission for this group, and do not

clear the Read permission. Click OK and close Certificate Templates Console.

In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to

Issue.

In the Enable Certificate Templates dialog box, select the new template that you have just created, SCCM Client Distribution

Point Certificate, and then click OK.

Requesting the Custom Workstation AuthenticationCertificateThis procedure requests and then installs the custom client certificate on to the member server that runs IIS and that will be

configured as a distribution point. Run the mmc command to launch the Certificate snap-in dialog box, select Computer

account and then click Next. In the Select Computer dialog box, ensure Local computer: (the computer this console is

running on) is selected, and then click Finish.In the Add or Remove Snap-ins dialog box, click OK. In the console,

expand Certificates (Local Computer), and then click Personal. Right-click Certificates, click All Tasks, and then

click Request New Certificate.

On the Request Certificates page, select the SCCM Client Distribution Point Certificate from the list of displayed

certificates, and then click Enroll.

On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish.

In the results pane, confirm that a certificate is displayed that has Client Authentication displayed in the Intended

Purpose column, and that SCCM Client Distribution Point Certificate is displayed in the Certificate Templatecolumn.

Exporting the Client Certificate for Distribution PointsIn the Certificates (Local Computer) console, right-click the certificate that you have just installed, select All Tasks, and then

click Export.

In the Certificates Export Wizard, click Next. On the Export Private Key page, select Yes, export the private key, and

then click Next.

On the Export File Format page, ensure that the option Personal Information Exchange – PKCS #12 (.PFX) is selected.

Click Next.

On the Password page, specify a strong password to protect the exported certificate with its private key, and then

click Next.

On the File to Export page, specify the name of the file that you want to export, and then click Next.

To close the wizard, click Finish in the Certificate Export Wizard page, and click OK in the confirmation dialog box. Close

Certificates (Local Computer). The certificate is now ready to be imported when you configure the distribution point.

Deploying the Client Certificate for Distribution PointsNow that we have got the client certificate for distribution points, let’s assign them to the DP’s. Right click on the DP and

under General tab, choose HTTPS and to import the certificate click on Browse. Import the certificate that you have

exported in the above steps, provide the password and click OK.

For other roles, you may not be able to switch from HTTP to HTTPS as the options are greyed out. For example on

Application catalog web service point, the options are greyed out. You have to uninstall both App catalog website point

and App catalog web service point role and install the roles again.

When you are reinstalling the App catalog web service point, you can now specify how App catalog website communicates

with App catalog web service point. Choose HTTPS this time.

The same goes for App catalog website point. Choose HTTPS here. Click Next.

In the Configuration Manger console, navigate to Administration > Overview > Site Configuration > Sites. Right click

on the site server and click Properties. Under site system settings, choose HTTPS only and click OK.

Login to one the computers which has Configuration Manager client installed. Look under General tab of configuration

manager client properties. You will notice that Client Certificate is changed from self-signed to PKI.

http://prajwaldesai.com/wp-content/uploads/2015/12/Deploying-the-Client-Certificate-for-Distribution-Points-Snap25.jpg