The posts we’ve provided around Configuration Manager 2012 Internet Based Client Management (IBCM) are proving to be very popular with lots of comments and questions coming in. A common request is a way of provisioning certificates for clients when domain auto-enrolment is not possible. This would be the case for workgroup machines, multi-forest deployment, and in scenarios where group policy processing doesn’t take place (remote machines accessing the infrastructure over VPN might be a candidate).
Our approach to this at the moment is to break the deployment process up a little, but still drive as much automation as possible. So, when we want to deploy a client in this scenario, the first thing we need to do is generate a certificate for it. We’re likely to want to do this in bulk, and as one-off jobs, so we use a standard batch script which accepts a parameter of the computername to generate a certificate request and export the resulting cert.
rem Create an INF request file with the specified subjectname
echo Generating *.inf file for certificate request for server %subjectname%
echo ;—————CertificateRequestTemplate.inf————– >> %subjectname%.inf
echo [NewRequest] >> %subjectname%.inf
echo Subject=”cn=%subjectname%” >> %subjectname%.inf
echo Exportable=TRUE >> %subjectname%.inf
echo KeyLength=2048 >> %subjectname%.inf
echo KeySpec=1 ;key exchange >> %subjectname%.inf
echo KeyUsage=0xA0 >> %subjectname%.inf
echo MachineKeySet=TRUE >> %subjectname%.inf
echo [RequestAttributes] >> %subjectname%.inf
echo CertificateTemplate=”ConfigMgrClientCertificate” ; this is for Client Authentication >> %subjectname%.inf
echo SAN=”DNS=%subjectname%” >> %subjectname%.inf
rem Create the a binary request file from the INF
echo Generating certificate request for server %subjectname%
CertReq -New -f %subjectname%.inf %subjectname%.req
echo Retrieving certificate for server %subjectname%…
CertReq -Submit -q -f -config CAServerName.FQDN.CO.UKCA-NAME-CA %subjectname%.req %subjectname%.cer
Echo Importing certificate into Local Computer Store…
certreq -accept %subjectname%.cer
Echo Exporting certificate with private key…
Certutil -f -p agoodpassword –exportpf x %subjectname% .clientcerts%1.pfx
Echo Cleaning up…
certutil -delstore “MY” %subjectname%
echo Certificate generation for server %subjectname% complete!
This script will create a ConfigMgr client cert with the name of the machine you are going to deploy.
To use this script against a list of machines you want to deploy you would:
For /f %I in (mylistofmachines.txt) do ApajoveCertGen.cmd %I
This will result in a certificate for each machine name being generated and stored in the clientcerts folder.
So, we now have a load of certificates. We will need the Trusted Root certificate exporting too, this can be obtained from the computer TR store and exported as a .cer file.
How to deploy the client?
We need a folder structure with a copy of the ConfigMgr client binaries.
Our clientcerts folder is in here too, as is the batch file for certificate and client install, which looks like this:
@Echo Adding Trusted Root Certificate
certutil -addstore -f “ROOT” “%~dp0MyTrustedRoot.cer”
@echo Import Client Certificate
Certutil -p agoodpassword –importpf x “%~dp0clientcerts%computername%.pfx”
@echo Install ConfigMgr Client
“%~dp0clientccmsetup.exe” /source:%~dp0clientcertsclient /mp:myserver.fqdn.co.uk /usePKICert /NOCRLCheck SMSSITECODE=ZZZ CCMHOSTNAME=sccmserver.fqdn.co.uk CCMHTTPSTATE=31
When executed this imports the Trusted Root cert, imports the client cert we created above and then installs the ConfigMgr client. You’ll likely want to pass additional parameters to the client installation, but this is a good place to start.