How to install clients on Linux computers, when the Site Roles require HTTPS communication in ConfigMgr 2012

Linux_PKI_2About four years ago I did a post about installing the ConfigMgr client on a WORKGROUP computer, when the ConfigMgr Site is in Native Mode. On the certificate side of it, this post will have a lot of similarities with that post. Installing a ConfigMgr client on a Linux computer is a nice challenge, when the ConfigMgr site is configured to require HTTPS. I think I am not the only one working with ConfigMgr and only uses a little tiny bit of Linux. So to make this process for everyone a bit easier I wrote down these four steps for implementing the correct certificates and installing the ConfigMgr client on a Linux computer. Of course these same certificate configuration steps can also be used for WORKGROUP clients and separate forests (just keep in mind that in those cases also the root certificate is required).

Prerequisites

  1. A Microsoft public key infrastructure (PKI) has to be in place.
  2. A Linux client has to be available, including the content of the ConfigMgr Client for Linux. The latest version is available for download here: http://www.microsoft.com/en-us/download/details.aspx?id=39360 

Step 1. Create a Certificate Template for Client Authentication with exportable private key.

  1. Linux_PKI_3On the Certification Authority server, open the Certification Authority Console, right-click Certificate Templates, and click Manage to load the Certificates Templates console.
  2. Right-click the Workstation Authentication template and click Duplicate Template and the Properties of New Template dialog box will show.
  3. On the Compatibility tab, make sure the Certification Authority is set to Windows Server 2003 and the Certificate recipient is set to Windows XP / Server 2003.
  4. On the General tab, set the Template display name to ConfigMgr Client Certificate for Export.
  5. On the Request Handling tab, select Allow private key to be exported.
  6. On the Subject Name tab, select Supply in the request.
  7. Click OK to close the Properties of New Template dialog box and close the Certificates Template Console.
  8. In the Certification Authority Console, right-click Certificate Templates, click New, click Certificate Template to Issue, select ConfigMgr Client Certificate for Export and click OK.

Step 2. Request and Install the Client Certificate for the Linux client

  1. Linux_PKI_4On a Windows domain joined machine, open Notepad and copy and paste the following text into the file (replace <NetBiosName> with the name of the client/ server that has to use this certificate):

    [NewRequest]
    Subject = “CN=<NetBiosName>
    MachineKeySet = True
    Exportable = TRUE
    KeyLength = 2048
    [RequestAttributes]
    CertificateTemplate = ConfigMgrClientCertificateforExport

  2. Save the file as ConfigMgrClientCertificate.inf in a folder on the machine.
  3. Open a Command Prompt and navigate to the same folder as the saved file.
  4. Use the following command to create a certificate request: certreq –new ConfigMgrClientCertificate.inf ConfigMgrClientCertificate.req
  5. Use the following command to submit the certificate request: certreq –submit ConfigMgrClientCertificate.req ConfigMgrClientCertificate.cer
  6. In the Select Certification Authority dialog box, select the CA, and then click OK.
  7. Use the following command to accept the requested certificate: certreq –accept ConfigMgrClientCertificate.cer

Step 3. Export the client certificate for the Linux client

  1. Open the Certificates Console, right-click the certificate that is issued to <NetBiosName>, click All Tasks, and then click Export to launch the Certificate Export Wizard.
  2. On the Welcome page, click Next.
  3. On the Export Private Key page, select Yes, export the private key and click Next.
  4. On the Export File Format page, confirm that Personal Information Exchange – PKCS #12 (.PFX) is selected and click Next.
  5. On the Password page, specify a password and click Next.
  6. On the File to Export page, specify the path and name of the file and click Next.
  7. On the Summary page click Finish and click OK to close the confirmation popup.

Step 4. Install the ConfigMgr client on the Linux client

  1. On the Linux client, in my case CentOS 6.4, copy the exported certificate to the folder with ConfigMgr client installation files.
  2. Open a Terminal and navigate to the location of the ConfigMgr client installation files.
  3. Use the following, or a similar, command to install the ConfigMgr client:Linux_PKI_5
  4. This will result in the installation of the client and an imported and validated certificate.Linux_PKI_6

For a complete list of all client installation parameters, see: http://technet.microsoft.com/en-us/library/jj573939.aspx#BKMK_CmdLineInstallLnUClient

Result

The best place to look at the end result is, in this case, the ConfigMgr console. This will show information about the client, activity, edition and certificate.Linux_PKI_1

Leave a Comment