Migrate SCCM To Use A New Certificate Authority

Recently on a visit to a customer, they mentioned that they were going to be migrating to a new certificate authority and wanted to know what they would need to do in order to update their Configuration Manager infrastructure with certificates from their new certificate authority and to keep systems communicating using HTTPS during the migration to using the new certificate authority.  In this scenario, we will only be looking at configuring the management point and clients for a new certificate authority. The process for distribution points and software update points is similar. The high level steps to how we approached this change in their environment were:

  1. Enroll clients with a Client Authentication certificate from the new certificate authority.
  2. Update Configuration Manager Site Properties with the new certificate authority root certificate.
  3. Install the management point role on a new server and request a web server certificate from the new certificate authority.
  4. Configure IIS on the new management point to use the web server certificates.
  5. Add the new management point to the proper boundary group and remove the old one.

Enroll Windows clients with a new certificate

The new certificate authority had already been configured, so the next step was to enroll workstations with a client authentication certificate from the new certificate authority.  The quickest way to do this is to use a certificate template and group policy that configures workstations for auto enrollment, which is what we did here.  You can that find the info for how to do that at this link:

https://docs.microsoft.com/en-us/configmgr/core/plan-design/network/example-deployment-of-pki-certificates#BKMK_client2008_cm2012

Add the new CA root certificate to Configuration Manager

Next, export the Root certificate from the new Root CA and copy the certificate file to a location where you can import it into the site server properties.  To configure the site properties with the Root CA certificate from the new certificate authority, open the admin console, go to Administration, expand the Site Configuration folder, select Sites, and in the pane to the right, right-click on your site name and select properties from the menu.  Select the Communication Security tab and at the bottom, select the “Set” button:

Next, on the Set Root CA Certificates window, select the new button, and browse to the certificate file to add it and click OK after you add it to close the Set Root CA Certificates window:

Install Configuration Manager roles on new servers

You’ll need to request a web server certificate in order to enable HTTPS on your new management point. To request a web server certificate from your certificate authority, follow the instructions here:

https://docs.microsoft.com/en-us/configmgr/core/plan-design/network/example-deployment-of-pki-certificates#BKMK_webserver2008_cm2012

Once you have the web server certificates in the local certificate store, you can install the management point role. If you need help installing the management point role, you can find information for installing site system roles here:

https://docs.microsoft.com/en-us/configmgr/core/servers/deploy/configure/install-site-system-roles

Configure IIS to use web server certificates

The directions for configuring IIS for each site server is also at the same link for requesting certificates but right after the section for requesting certificates:

https://docs.microsoft.com/en-us/configmgr/core/plan-design/network/example-deployment-of-pki-certificates#BKMK_webserver2008_cm2012

Add site server to boundary groups

Now that the new management point is configured, you’ll want to add it to the proper boundary group so that clients can see it. In the admin console, go to Administration, expand the Hierarchy Settings folder, and select Boundary Groups. In the pane to the right, right click the boundary group that you want modify and select Properties. Click on the References tab and in the lower section you can add the new management point and remove the previous one.

At this point once the previous management point is removed, clients can take up to 25 hours to perform a location check and switch to the new management point.

Conclusion

There are different ways to handle this particular scenario but this is what worked best for this particular customer in their environment, which was fairly small. When configuring Configuration Manager to use a new certificate authority, there are a lot of things to think about overall, and the number of site system servers you have in your environment can extend and complicate the process of moving to a new certificate authority. It’s not impossible though!

Authors