Configuring Configuration Manager

To begin configuring your Configuration Manager site to start using secure communication, you will require a CER file of your root CA. The file you export must be a DER X.509 certificate.

In the administration workspace, expand the site configuration node and select Sites. Right-click on your site and then select Properties. In the Client Computer Communication tab, you have the ability to set options on how clients communicate with your site.

Import your root CA certificate by clicking on Set at the bottom of the window. You can import multiple root certificates if required. This functionality supports environments that may have multiple certificate authorities.

The certificates you specify here will be used to verify the certificate chain of any certificates configured in the hierarchy. You are recommended to make sure that your clients are properly communicating with a HTTP management point and distribution point as well as software update point before setting your site to communicate purely in HTTPS.

Tip

Tick the box labeled Use PKI client certificate where available. This will instruct clients to communicate with the site if they have the correct certificate.

Once you have confirmed that all clients are communicating with the site using HTTPS, you may switch the communication mode from HTTPS or HTTP to HTTPS only.

If you have a mix of HTTP and HTTPS management points, then clients will select HTTPS management points as a preference over HTTP, as shown in the following screenshot:

Configuring distribution points to use certificates

In the distribution point properties in the Servers and Site System Roles node, find your distribution point server and double-click on the distribution point object. In the General tab, at the bottom of the screen, you can switch from a self-signed certificate to import a certificate.

Here, you can specify the path to your exported distribution point client certificate and enter the password associated when the certificate was exported. This will enable the distribution point to use the client certificate created from your certificate authority rather than the default self-signed certificate, as shown in the following screenshot:

You can then click on OK to save the changes; this action will configure your certificate for you. You can change the certificate if required at any time or switch back to a self-signed certificate should it be required.

Tip

If you switch back to a self-signed certificate, make sure you clean up any existing certificates as a best practice.

Configuring management points to use certificates

Management points require very little configuration to make, in this case, use HTTPS communication. Once IIS has been configured to use the web server certificate from the certificate authority, open the management point properties in the Servers and Site System Roles node, find your management point server, and double-click on the management point object.

In the General tab, simply select the HTTPS radio button and save the changes by clicking on OK, as shown in the following screenshot: