In this post we will see the steps for deploying MECM server certificate for site systems that run IIS.

On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates and click Manage to load the Certificate Templates console.

In the results page, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template.

Ensure that Windows 2003 Server is selected, and then click ok.

In the Properties of MECM server Template dialog box, on the General tab, enter a template name to generate the web certificates that will be used on Configuration Manager site systems. Click the Subject Name tab, and make sure that Supply in the request is selected.

Click the Security tab, and remove the Enroll permission from the security groups Domain Admins.

Also remove the Enroll permission from the security groups Enterprise Admins.

Click Add, enter MECM IIS Servers in the text box, and then click OK. Select the Enroll permission for this group, and do not clear the Read permission. Click OK, and close the Certificate Templates Console.

In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

Requesting MECM server certificate

Run the mmc.exe command. In the empty console, click File, and then click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add. In the Certificate snap-in dialog box, select Computer account, and then click Next. On Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish.In the console, expand Certificates (Local Computer), and then click Personal. Right-click Certificates, click All Tasks, and then click Request New Certificate.

On Select Certificate Enrollment Policy page, click Next.

On the Request Certificates page, identify the MECM IIS Certificate from the list of displayed certificates, and then click More information is required to enroll for this certificate. Click here to configure settings.

In the Certificate Properties dialog box, in the Subject tab, do not make any changes to the Subject name. This means that the Value box for the Subject name section remains blank. Instead, from the Alternative name section, click the Type drop-down list, and then select DNS. In the Value box, specify the FQDN values that you will specify in the Configuration Manager site system properties, and then click OK to close the Certificate Properties dialog box.

On the Request Certificates page, select MECM IIS Certificate from the list of displayed certificates, and then click Enroll.

Configuring IIS to Use the MECM IIS Certificate

The steps that we perform now will configure IIS to use the web server certificate that we had configured in the above steps. On the member server that has IIS installed, launch the Internet Information Services (IIS) Manager. Expand Sites, right-click Default Web Site, and then select Edit Bindings.

In the Edit Site Binding dialog box, select the certificate that you requested by using the MECM IIS Certificates template, and then click OK. You have now configured IIS to use the web server certificate.