Building a CM Lab - Certificate Authority [3]

Series Post 3, adding a Certificate Authority into your lab (Requires you setup a DC first), completely optional for your environment.

This is a bonus, you can do everything you want in your lab without this feature, but guess what, if you're going to do anything that needs HTTPS, having your own Certificate Authority (CA) makes this so much slicker.

Creating a CA is straight forward, you pick the role and click next a few times. I'm adding it to my DC, as it's an easy place to put it.

You'll check the box "Active Directory Certificate Services, which will then pop up this dialog, click "Add Features"
This is default
At this point, click "Configure AD CS on the destination server.
I left the defaults here

Ok, so now we have setup our CA & had it configured. Nothing too special, now lets create a Cert Template. In this example I'll be creating a certificate template to be used with our Recast Management Server Web Server, which will basically be the same for any web server.

Launch Certification Authority from the Tools Menu
Right Click on Certificate Templates and choose Manage
We're going to make a duplicate of the Web Server Template to use
I'm going to name it Recast Web Server
Under Security I added an AD Group "Web Server Cert Enrollment" and checked the boxes "Enroll & Autoenroll"
In AD, this is the group, and the members.  I've added several servers that might need the cert and one that I know does for sure. Eventually all of these servers will automatically get the certificated because they are set to auto enroll.
I also added Certificate Admins and checked the box for Enroll.
The Certificate Admins Group, anyone in this group has the ability to enroll this new certificate.

Now, on the server, you can enroll and add the certificate.

In this example I'll be having the certificate enrolled on the Recast Management Server which hosts our Recast Enterprise Server Web Service.

Currently it's using it's self-issued certificate which causes clients to get a warning when you try to connect.

You can see here that while it's HTTPS, it gives a "Not Secure" Warning
Go to "Manage Computer Certificates". On Personal, right click and choose "All Tasks", then "Request New Certficate"
At this point you should see the "Recast Web Server" cert available.
It enrolled successfully
Now in the Certificates, you'll see the cert that was issued by our CA
Now that we have the Cert available, Lets tell our Recast Server's Site to use our new cert
Open up IIS, choose the Recast Management Server, click Bindings, then click "Edit" and choose the cert that was issued.
And now, from the client, you can see the error is gone and no more prompts.

So now we have a CA setup and used it to improve the experience on our Recast Management Server. Long term plan is to use it to enable HTTPS only on our CM Server.  We'll get to that in a future post.

Blog Post List

Series Introduction - Building a CM Lab from Scratch

  1. Domain Controller - Setting up your Domain Controller
  2. Gateway Virtual Machine - Creating a Router for your Lab using Windows Server
  3. Certificate Authority - On Domain Controller [Optional]
  4. ConfigMgr Server Pre-Reqs (Windows Features)
  5. Configuration Settings (AD & GPOs)
  6. Source Server (File Share)
  7. ConfigMgr SQL Install
  8. ConfigMgr Install
  9. ConfigMgr Basic Settings
  10. ConfigMgr Collections & App Deployment
  11. ConfigMgr OSD
  12. ConfigMgr Reporting Services