Innovative Technology Weblog

I actually ran into more problems with the PKI after the installation. Although SCCM detects your Site Server Signing certificate during setup, the process of dragging and dropping the certificate from the current user branch to the local machine branch may (not sure if there are situations where this does not happen) corrupt the private key in the certificate. To fix this, you have to change the template for the Site Server Signing certificate. On the ‘Request Handling’ tab, check ‘Allow private key to be exported’. Then go through the process of requesting the certificate as usual, and don’t drag and drop as I described in my previous post, but export from the current user certificates and import in the local machine certificates. That should fix the Site Server Signing certificate.

I also had a problem with the Web Server certificate, don’t know if it’s related to having a Windows Server 2008 Certificate Authority or not. In the Microsoft walkthrough they tell you to duplicate the normal Web Server template. When I did this, SCCM kept reporting the Management Point giving problems; a test http request would return an error. After a little Googling I found the solution: on the new template (I named it SCCM Web Server) add Client Authentication on the ‘Extensions’ tab. Don’t forget to re-enroll and re-assign the certificate to your website.

I hope that’s all I have to say about this.

The last couple of days I’ve been playing around with the SCCM 2007 SP1/R2 beta. I wanted to try out the NAP (network access protection) features, which require Windows Server 2008 on the SCCM server. So I went ahead and created some virtual machines, a domain controller and a SCCM server. I wanted to do it right, so I decided to install Windows Server 2008 on the domain controller as well. To build the PKI required by native mode I followed the excellent walkthrough at http://technet.microsoft.com/en-us/library/bb694035.aspx. And then I ran into trouble…..
There are two issues with getting the Site Server Signing certificate on the SCCM server. First, because the CA is running on a Windows Server 2008 machine, when you duplicate the ‘Computer’ certificate template, you get the choice which versions of Windows should support this template. Considering the fact that all servers in my environment are running Windows Server 2008, I went with that. And that was my mistake. If you select “Windows Server 2008, Enterprise Edition” the certificate template will not show up while enrolling it from the web interface, so you should select “Windows Server 2003, Enterprise Edition”.
The second issue I ran into was related to the requesting client being a Windows Server 2008 machine. When this is the case, the web interface no longer shows the option to store the certificate in the local computer certificate store. Just continue as you normally would and after that, open an MMC on the SCCM server. Add two certificates snap-ins, one for the current user, the other for the local computer. All you have to do is drag the certificate you just enrolled from the web interface from the Personal/Certificates store under the current user branch to th Personal/Certificates store under the local computer branch.
After this, in my case the SCCM installation automatically detected my certificate and installation went smoothly.

 Please note that I have posted a follow-up to this post, because although installation will go smoothly, you will have some errors if you do it the way I descibed above. Here’s the correct way to do it:  http://www.buit.org/2008/05/22/installing-sccm-2007-sp1r2-in-native-mode-on-windows-server-2008-part-2/