Install and Configure PKI for SCCM 2016

The following guide will take you through the installation of PKI Certificates on Windows Server 2016 for SCCM 2016.
This walkthrough, which uses a Windows Server 2016 certification authority (CA), contains procedures to guide you through the process of creating and configuring templates, Group Policies and public key infrastructure (PKI) certificates that Microsoft System Center Configuration Manager 2016 uses.

Open Server Manager,  At All Servers  and Add the Active Directory Certificate Services Role

102318_1355_InstallandC55.png

102318_1355_InstallandC54.png

Role-based or feature-based installation should be selected then click Next:

102318_1355_InstallandC53.png

102318_1355_InstallandC51.png

On the pop up window click the box Include management tools then Add Features:

102318_1355_InstallandC50.png

Select Active Directory Certificate Services then click Next:

102318_1355_InstallandC49.png

No additional Features are needed. Click Next:

102318_1355_InstallandC48.png

Click Next:

102318_1355_InstallandC47.png

Select Certification Authority and next

102318_1355_InstallandC46.png

Click Install

102318_1355_InstallandC45.png

Once the installation is complete click Close:

102318_1355_InstallandC43.png

Select Certification Authority and next

102318_1355_InstallandC42.png

Choose “Enterprise CA” on this step of the configuration wizard.

102318_1355_InstallandC41.png

On this step choose “Root CA.

102318_1355_InstallandC40.png

On this step select “Create new private key.

102318_1355_InstallandC39.png

Enter your cryptographic options then click Next:

102318_1355_InstallandC38.png

Give your certificate a name, and then click Next.

102318_1355_InstallandC37.png

Select validity period

102318_1355_InstallandC36.png

Click Next:

102318_1355_InstallandC35.png

Ensure the summary is correct then click Configure:

102318_1355_InstallandC34.png

Finished! Click Close:

102318_1355_InstallandC33.png

Certification Authority:

102318_1355_InstallandC32.png

102318_1355_InstallandC31.png

At the Certification Authority console, right-click Certificate Templates and click Manage to load the Certificate Templates console.

102318_1355_InstallandC30.png

102318_1355_InstallandC29.png

At the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template.

102318_1355_InstallandC28.png

 Now if you look at the Certificate Templates Console you will see our four new templates. 

102318_1355_InstallandC27.png

102318_1355_InstallandC26.png

Click the Security tab, select the Domain Computers group, and select the additional permissions of Read and Autoenroll. Do not clear Enroll. Click Apply and OK 

102318_1355_InstallandC25.png

On the Request Handling tab select Allow private key to be exported.

102318_1355_InstallandC24.png

At the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

102318_1355_InstallandC23.png

Select all four of the ConfigMgr templates you created then click OK.

102318_1355_InstallandC22.png

They will then show up in the Certificate Templates listing. Once you verify that, you can close the Certification Authority console.

102318_1355_InstallandC21.png

Run the mmc.exe command.

102318_1355_InstallandC20.png

In the empty console, click File, and then click Add/Remove Snap-in.In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add

102318_1355_InstallandC19.png

In the Certificate snap-in dialog box, select Computer account, and then click Next.

102318_1355_InstallandC18.png

In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish.

102318_1355_InstallandC17.png In the Add or Remove Snap-ins dialog box, click OK. In the console, expand Certificates (Local Computer), and then click Personal. Right-click Certificates, click All Tasks, and then click Request New Certificate.

102318_1355_InstallandC15.png

Right-click in a blank space and click All Tasks > Request New Certificate, You are presented with the Certificate Enrollment wizard. Click Next

102318_1355_InstallandC14.png

On Select Certificate Enrollment Policy page, click Next.

102318_1355_InstallandC13.png

On the Request Certificates page, identify the SCCM Web Server Certificate from the list of displayed certificates, and then click

102318_1355_InstallandC12.png

On the Certificates Installation Results page, wait until the certificate is installed (the status should show Succeeded), and then click Finish.

102318_1355_InstallandC11.png

102318_1355_InstallandC10.png

On the domain controller, launch the Group Policy Management.

102318_1355_InstallandC9.png

Navigate to your domain, 

102318_1355_InstallandC8.png

Right-click the domain, and then select Create a GPO in this domain, and Link it here.

102318_1355_InstallandC7.png

In the New GPO dialog box, enter a name for the new Group Policy, and click OK

102318_1355_InstallandC6.png

102318_1355_InstallandC5.png

In the results pane, on the Linked Group Policy Objects tab, right-click the new Group Policy, and then click Edit.

102318_1355_InstallandC4.png

 In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings > Security Settings > Public Key Policies

102318_1355_InstallandC3.png

Right-click the object type named Certificate Services Client – Auto-enrollment, and then click Properties. From the Configuration Model drop-down list, select Enabled, select Renew expired certificates, update pending certificates, and remove revoked certificates, select Update certificates that use certificate templates, and then click OK. Close the GPMC.

102318_1355_InstallandC2.png

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s