ConfigMgr Console

Building a ConfigMgr Lab from Scratch: Step 3 – Certificate Authority

Topics: ConfigMgr Console

Building a ConfigMgr Lab from Scratch: Step 3

Adding a Certificate Authority

This post is completely optional for your environment.

You can do everything you want in your lab without this feature, but guess what, if you’re going to do anything that needs HTTPS, having your own Certificate Authority (CA) makes this so much slicker.

Creating a CA is straight forward. You pick the role and click next a few times. I’m adding it to my DC, as it’s an easy place to put it.

Add roles and features server roles

You’ll check the box “Active Directory Certificate Services, which will then pop up this dialog, click “Add Features.”

Add Roles and Features wizard

This is default.

Add Roles and Features Wizard
Add Roles and Features Wizard

At this point, click “Configure AD CS on the destination server.

AD CS Configuration


AD CS Configuration
AD CS Configuration
AD CS Configuration
AD CS Confiuration Private Key
AD CS Configuration Cryptography

I left the defaults here.

AD CS Configuration CA Name
AD CS Configuration Validity Period
AD CA Configuration Certificate Database
AD CS Configuration Confirmation
AD CS Configuration

Ok, so now we have setup our CA & had it configured. Now let’s create a Cert Template. In this example, I’ll be creating a certificate template to be used with our Recast Management Server Web Server, which will basically be the same for any web server.

Launch Certification Authority

Launch Certification Authority from the Tools Menu.

Certification Authority Template

Right Click on Certificate Templates and choose Manage.

Certificate Template Console

We’re going to make a duplicate of the Web Server Template to use.

Properties of New Template

I’m going to name it Recast Web Server.

Recast web Server Properties

Under Security I added an AD Group “Web Server Cert Enrollment” and checked the boxes “Enroll & Autoenroll.”

Web Server Cert Enrollment Properties

In AD, this is the group, and the members.  I’ve added several servers that might need the cert and one that I know does for sure. Eventually all of these servers will automatically get the certificated because they are set to auto enroll.

Recast Web Server Properties

I also added Certificate Admins and checked the box for Enroll.

Certificate Admins Properties

The Certificate Admins Group, anyone in this group has the ability to enroll this new certificate.

REcast Web Server Properties

Now that this is done, you’ll have to Add these certs to “Certificate Templates” – Otherwise you might get this error:

The requested certificate template is not supported by this CA. A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.”

This drove me crazy for a bit, then realized I forgot a step. Any Templates you’ve duplicated and created that you want this CA to be able to give out, you’ll need to add here: [More Info]

Sorry, the names changed. I noticed this after the original post and am appending this from my personal lab.

Now, on the server, you can enroll and add the certificate.

In this example I’ll be having the certificate enrolled on the Recast Management Server which hosts our Recast Enterprise Server Web Service.

Currently it’s using it’s self-issued certificate which causes clients to get a warning when you try to connect.

HTTPS Not secure Warning

You can see here that while it’s HTTPS, it gives a “Not Secure” Warning.

Manage Computer Certificates

Go to “Manage Computer Certificates”. On Personal, right click and choose “All Tasks”, then “Request New Certificate.”

Certificate Enrollement
Certificate Enrollement
Certificate Enrollment

At this point you should see the “Recast Web Server” cert available.

Certificate Enrollment

It enrolled successfully.

Certificate Enrollment

Now in the Certificates, you’ll see the cert that was issued by our CA.

Internet Information Services Manager IIS

Now that we have the Cert available, let’s tell our Recast Server’s Site to use our new cert. Open up IIS, choose the Recast Management Server, click Bindings, then click “Edit” and choose the cert that was issued.

Recast Server
And now, from the client, you can see the error is gone and no more prompts.

So now we have a CA setup and used it to improve the experience on our Recast Management Server. Long term plan is to use it to enable HTTPS only on our CM Server. We’ll get to that in a future post.

Building a ConfigMgr Lab from Scratch Series

Series Introduction – Building a CM Lab from Scratch

  1. Setting up your Domain Controller
  2. Creating a Router for your Lab using Windows Server 
  3. Certificate Authority – On Domain Controller [Optional] – You are Here
  4. ConfigMgr Server Pre-Reqs (Windows Features)
  5. Configuration Settings (AD & GPOs)
  6. Source Server (File Share)
  7. ConfigMgr SQL Install
  8. ConfigMgr Install
  9. ConfigMgr Basic Settings
  10. ConfigMgr Collections & App Deployment
  11. ConfigMgr OSD
  12. ConfigMgr Reporting Services
  13. Cloud Management Gateway (CMG) – Certs PreReq
  14. Cloud Management Gateway (CMG) – Azure Subscription
  15. Azure Services Connection
  16. Setting up CMG in the Console
  17. Cloud Management Gateway (CMG) – Post CMG Config
  18. Cloud Management Gateway – Client CMG Endpoints
Back to Top