System Center Configuration Manager TechCenter >
System Center Configuration Manager Forums
>
Configuration Manager Setup/Deployment
>
PFX Certs for Out of Band Management
PFX Certs for Out of Band Management
Greetings,
I've not seen many posts regarding Out of Band Management. Is it a feature that many choose not to deploy?
Having setup a Windows Server 2003 Enterprise CA and created my customised templates I have finally hit a hitch. I can only request a certifcate in PKCS#10 or CMC format.
Config Manager requires PKCS#12 (also known as PFX). This format is different to the others in that it allows the Private Key to be exported. Does anyone have any idea why my CA doesn't seem to offer me PKCS#12 functionality?
Thanks,
Michael
Answers
- Hi Michael
I had wondered if this was a new Windows certificate template that I didn't know about, but apparently not - so somebody must have created it in your company, probably by duplicating the Web Server certificate. I should have known with the name, because it's pretty unusual to have abbreviations for labels in the UI because they won't localize (don't translate into the international server languages).
So it's great that this solution resolved the problem for you, but unfortunately it won't help other customers who might run into the same problem. Only thing I can think of that might explain this behavior is that the Web Server certificate was originally duplicated and configured without the option to export the private key (this is not enabled by default in the Web Server certificate template), added to the CA, the certificate was requested, then the certificate template was reconfigured to allow the private key to be exported. When you change a certificate template after it's been added to the CA, the new setting will take effect but there's often a delay. If you remove and re-add the template to the CA, it speeds things up but there's still the potential for latency and this isn't obvious when the name of the template stays the same.
If this doesn't fit with what happened and you want to investigate it further, try the instructions as documented again and give the new certificate template a new name so that you know you're definitely requesting a certificate from a template that has the private key exportable at the time of adding it to the CA. And just to clarify, the default Web Server certificate template does not allow the private key to be exported and you cannot change this because it's a version 1 template. So to change this value you must duplicate the template (creates v2 template) and then you can enable the option.
- Carol
This posting is provided “AS IS” with no warranties and confers no rights- Marked As Answer byMicmaher Friday, November 06, 2009 11:11 AM
- I believe I have the answer to this.
I followed the instructions on the Technet site verbatim. http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning2
Is says . . .
In the results pane, right-click the entry that displays Web Server in the Template Display Name column, and then click Duplicate Template
The template that needs to be duplicated is Web Server (Exp) rather than Web Server as it states above. I assume (Exp) signifies that this is an exportable template.
A bit confusing though, because both templates allow have the Allow private key to be exported checkbox in their settings.
Michael- Marked As Answer byMicmaher Tuesday, November 03, 2009 4:30 PM
All Replies
- Have you followed the instructions from the step-by-step (http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning2)? Specifically, step 6 where you select Allow private key to be exported on the Request Handling tab for the certificate template?
- Carol
This posting is provided “AS IS” with no warranties and confers no rights - Hi Carol,
Yes, I had checked that setting and it is marked to permit it to be exported. It was the first thing that came to my mind too and I had went back to double check this setting on a number of occaisons.
I first tried using the web enrollment method (https://ca/sertsrv) This allows me to specify the AMT Provisioning Certificate template I created from a drop down menu but I can only make a request in PKCS#10 or CMS format.
I have also tried generating a request using the Certifcate snap-in on my Config Manager server and even my CA. After opening the Certificate store for Local Computer. I expanded Personal. Right clicked Certificates, chose All Tasks then Advanced Options. I then chose to to 'Create a Custom Request'.
Then choosing Custom Request, Proceed without Enrollement Policy. Again I only get the options PKCS#10 or CMS format.
Michael - I believe I have the answer to this.
I followed the instructions on the Technet site verbatim. http://technet.microsoft.com/en-us/library/cc161804.aspx#BKMK_AMTprovisioning2
Is says . . .
In the results pane, right-click the entry that displays Web Server in the Template Display Name column, and then click Duplicate Template
The template that needs to be duplicated is Web Server (Exp) rather than Web Server as it states above. I assume (Exp) signifies that this is an exportable template.
A bit confusing though, because both templates allow have the Allow private key to be exported checkbox in their settings.
Michael- Marked As Answer byMicmaher Tuesday, November 03, 2009 4:30 PM
- That's interesting .... thanks for this feedback. I'll look into it. I hadn't heard of this Web Server (Exp) certificate template. Are you running Windows Server 2008 R2 on your domain controllers?
- Carol
This posting is provided “AS IS” with no warranties and confers no rights - Hi Carol,
No we've Windows 2003 DC's.
Michael - Hi Michael
I had wondered if this was a new Windows certificate template that I didn't know about, but apparently not - so somebody must have created it in your company, probably by duplicating the Web Server certificate. I should have known with the name, because it's pretty unusual to have abbreviations for labels in the UI because they won't localize (don't translate into the international server languages).
So it's great that this solution resolved the problem for you, but unfortunately it won't help other customers who might run into the same problem. Only thing I can think of that might explain this behavior is that the Web Server certificate was originally duplicated and configured without the option to export the private key (this is not enabled by default in the Web Server certificate template), added to the CA, the certificate was requested, then the certificate template was reconfigured to allow the private key to be exported. When you change a certificate template after it's been added to the CA, the new setting will take effect but there's often a delay. If you remove and re-add the template to the CA, it speeds things up but there's still the potential for latency and this isn't obvious when the name of the template stays the same.
If this doesn't fit with what happened and you want to investigate it further, try the instructions as documented again and give the new certificate template a new name so that you know you're definitely requesting a certificate from a template that has the private key exportable at the time of adding it to the CA. And just to clarify, the default Web Server certificate template does not allow the private key to be exported and you cannot change this because it's a version 1 template. So to change this value you must duplicate the template (creates v2 template) and then you can enable the option.
- Carol
This posting is provided “AS IS” with no warranties and confers no rights- Marked As Answer byMicmaher Friday, November 06, 2009 11:11 AM
