Key configurations steps for implementing the ability to deploy certificate profiles with ConfigMgr 2012

This blog post is about key configuration steps, which are often forgotten, for implementing the ability to deploy certificate profiles with ConfigMgr 2012. By key configuration steps, I’m talking about the key configurations of every component used for creating the ability to deploy certificate profiles. That means Internet Information Services (IIS), Network Device Enrollment Service (NDES), the Certificate Registration Point site system role, the Configuration Manager Policy Module and even Web Application Proxy (WAP). To understand these steps, knowledge of certificates, IIS and ConfigMgr is required, because it’s not a step-by-step configuration guide. Good step-by-step information can be found in the More information section of this blog.

Internet Information Services

imageThe first component I would like to mention is probably the most known component, which is IIS. For IIS to support the long URLs, that come with certificate requests, the following adjustments should not be forgotten:

  • The HKLM\System\CurrentControlSet\Services\HTTP\Parameters registry key must have the following DWORD values:
    • MaxFieldLength key to 65534.
    • MaxRequestBytes key to 16777216.
  • The request-filtering on the Default website must also adjusted to the following values.
    • Maximum allowed content length (Bytes): 30000000
    • Maximum URL length (Bytes): 65534
    • Maximum query string (Bytes): 65534

Network Device Enrollment Service

imageThe next component is probably the core component for deploying certificate profiles, which is NDES. NDES is a role service of Active Directory Certificate Services (AD CS). For NDES to deploy the correct certificate template the following important configuration should not be forgotten:

  • The HKLM\SOFTWARE\Microsoft\Cryptography\MSCEP registry key contains the default certificate that will be deployed. These values should be adjusted to the certificate template name that should be deployed;
  • The account used by the NDES application pool must have Read and Enroll permissions on the configured certificate profile. Without these permissions it will not be possible to request certificates.

Certificate Registration Point

imageThe component that brings it all together, from a ConfigMgr perspective, is the Certificate Registration Point site system role. To make this role function on the Internet there are two key things that should not be forgotten:

  • A public FQDN should be registered for publishing NDES on the Internet;
  • The public FQDN should be used in the configuration of the Certificate Registration Point, as that is the address that the clients will use to perform their certificate request.

Configuration Manager Policy Module

imageThe component that provides the communication between NDES and the Certificate Registration Point is the Configuration Manager Policy Module. This installation should not be forgotten! The installer can be found on the installation media in the folder \SMSSETUP\POLICYMODULE\X64.

During the installation it will request the root certificate as input. This certificate can be found on the primary site server in the certmgr.box inbox.

Web Application Proxy

imageThe component that is optional, but can be used to publish NDES to the Internet, is WAP. One key thing that should not be forgotten is that the December 2014 update rollup for Windows Server 2012 R2 should be installed (see: https://support.microsoft.com/kb/3013769/en-us).

More information

Configuring certificate profiles Configuration Manager
Certificate deployment with System Center 2012 R2 Configuration Manager and Windows Intune
SCEP certificate enrolling using ConfigMgr, CRP, NDES and Windows Intune
Hotfix: Large URI request in Web Application Proxy on Windows Server 2012 R2

Share