This guide is broken into five parts:
- Preparation Part 1 – Get your Certificate
- Preparation Part 2 – Configure IIS and SQL
The prep phase of implementing BitLocker management is all about keeping the Recovery Keys secure. Secure in transit from the endpoint to Configuration Manager and secure at rest in the database.
To secure the key from the endpoint to Configuration Manager, we need to have a PKI cert for each Management Point (MP). In 1910, we must convert to HTTPS mode on the MP but starting in 2002 we only must create the certificate binding in IIS.
No matter which method you choose, you will need to get a cert to each MP. In this guide I will cover doing this via a Windows Server Certificate Authority. The steps I follow are, mostly, from the guide “Step-by-step example deployment of the PKI certificates for Configuration Manager: Windows Server 2008 certification authority“. I am not going to go through the entire guide, but just enough to get a certificate for MPs.
Note: I do one step differently than the example guide that is required for when we get to the reporting portion. I will call that out when we get there.
Create and issue the web server certificate template on the certification authority
1. Create a security group named ConfigMgr IIS Servers that has the member servers to install Configuration Manager site systems that will run IIS.
2. On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates and then choose Manage to load the Certificate Templates console.
3. In the results pane, right-click the entry that has Web Server in the Template Display Name column, and then choose Duplicate Template.
4. In the Properties of the New Template dialog box, on the Compatibility tab, ensure the Certification Authority is set to Windows Server 2003.
5. In the Properties of New Template dialog box, on the General tab, enter a template name, like ConfigMgr Web Server Certificate, to generate the web certificates that will be used on Configuration Manager site systems.
6. Choose the Subject Name tab, and make sure that Supply in the request is selected
7. Choose the Security tab, and then remove the Enroll permission from the Domain Admins and Enterprise Admins security groups.
8.Choose Add, enter ConfigMgr IIS Servers in the text box, and then choose OK.
9. Choose the Enroll permission for this group, and do not clear the Read permission
10. Choose OK, and then close the Certificate Templates Console.
11. In the Certification Authority console, right-click Certificate Templates, choose New, and then choose Certificate Template to Issue.
12. In the Enable Certificate Templates dialog box, choose the new template that you just created, ConfigMgr Web Server Certificate, and then choose OK.
Request the web server certificate
1. Restart the member server that runs IIS to ensure that the computer can access the certificate template that you created by using the Read and Enroll permissions that you configured.
2. Choose Start, choose Run, and then type mmc.exe. In the empty console, choose File, and then choose Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, choose Certificates from the list of Available snap-ins, and then choose Add.
4. In the Certificate snap-in dialog box, choose Computer account, and then choose Next.
5. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then choose Finish.
6. In the Add or Remove Snap-ins dialog box, choose OK.
7. In the console, expand Certificates (Local Computer), and then choose Personal.
8. Right-click Certificates, choose All Tasks, and then choose Request New Certificate
9. On the Before You Begin page, choose Next.
10. If you see the Select Certificate Enrollment Policy page, choose Next.
11. On the Request Certificates page, identify the ConfigMgr Web Server Certificate from the list of available certificates, and then choose More information is required to enroll for this certificate. Click here to configure settings.
ATTENTION: The next steps differ from the example guide.
12. In the Certificate Properties dialog box, in the Subject tab go to the Subject name section. Choose the Type drop-down list, and then choose Common Name.
12a. In the Value box, specify the hostname of the server, and click add.
13. From the Alternative name section, choose the Type drop-down list, and then choose DNS.
13a. In the Value box, specify the FQDN values that you will specify in the Configuration Manager site system properties, and then choose OK to close the Certificate Properties dialog box.
13b. Enter an additional DNS alternative name using just the hostname
13c. Click OK
13d. Select the General tab and enter a Friendly name for the certificate.
14. On the Request Certificates page, choose ConfigMgr Web Server Certificate from the list of available certificates, and then choose Enroll.
15. On the Certificates Installation Results page, wait until the certificate is installed, and then choose Finish.
16. Close Certificates (Local Computer).