Certificate Registration Point
- April 20, 2022
- Posted by: Pavithra
- Category: End User Computing
Certificate Registration Point
We will describe how to install SCCM Certificate Registration Point (CRP).
Using SCCM and Intune, the CRP communicates with a server that runs the Network Device Enrolment Service (NDES) to provision device certificate requests.
This is not a mandatory Site System, but we recommend installing a CRP if you need to provision client certificates to your devices (like VPN or WIFI).
Before the CRP can be installed, dependencies outside SCCM is required. I won’t cover the prerequisite configuration in details as they are well documented on this Technet article and it goes beyond SCCM. Here’s an overview of what needs to be done :
- Install the NDES role on a Windows 2012 R2 Server
- Modify the security permissions for the certificate templates that the NDES is using
- Deploy a PKI certificate that supports client authentication
- Locate and export the Root CA certificate that the client authentication certificate chains to
- Increase the IIS default URL size limit
- Modify the request-filtering settings in IIS
On the machine that will receive the CRP role, install the following using Windows server role and features:
- ASP .NET 3.5
- ASP .NET 4.5
- WCF HTTP Activation
If you are installing CRP on a remote machine from the site server, you will need to add the machine account of the site server to the local administrator’s group on the CRP machine.
SITE SYSTEM ROLE PLACEMENT IN HIERARCHY
The Certificate Registration Point must not be installed on the same server that runs the Network Device Enrollment Service. It’s supported to install this role on a Central Administration Site, child Primary Site or stand-alone Primary Site but it’s not supported on a Secondary Site.
Open the SCCM console
Navigate to Administration / Site Configuration / Servers and Site System Roles
Right click your Site System and click Add Site System Roles
On the General tab, click Next
CONFIGURATION MANAGER POLICY MODULE
Now that the Certificate Registration Point has been installed, we must install a plug-in on the NDES server to establish the connection with SCCM.
On the server that runs the Network Device Enrollment Service :
- Copy the \SMSSETUP\POLICYMODULE\X64 folder from the the Configuration Manager installation media to a temporary folder
- From the temporary folder, run PolicyModuleSetup.exe
- Click Next, accept the license terms and click Next
- On the Installation Folder page, accept the default installation folder click Next
- On the Certificate Registration Point page, specify the URL of the Certificate Registration Point. This is the Virtual Application Name created during the SCCM role installation (Example : https://crp.systemcenterdudes.com/CMCertificateRegistration)
- Accept the default port of 443, click Next
- On the Client Certificate for the Policy Module page, browse to and specify the client authentication certificate. This is the same certificate you used in the CRP Installation wizard in SCCM
- On the Certificate Registration Point Certificate page, click Browse to select the exported certificate file (the one exported from \inboxes\certmgr.box)
- Click Next and complete the wizard
- Open the registry editor and browse to HKLM\SOFTWARE\Microsoft\Cryptography\MSCEP
- Make sure that the values of EncryptionTemplate, GeneralPurposeTemplate and SignatureTemplate match the names of the template on your CA
Live Instructor-led Online Training