How to Prepare Certificates for SCCM HTTPS Communication (Step by Step Guide)
If you are planning to move your SCCM (Configuration Manager) environment to HTTPS-only communication, the very first step is to prepare the required PKI certificates on your internal Certificate Authority (CA). Without the right certificate templates, SCCM roles like the Management Point (MP), Distribution Point (DP), and your Windows clients won’t be able to establish a secure connection.
In a previous post, I walked through configuring WSUS with the Software Update Point for HTTPS. If you missed that article, you can check it out here.
In this article, we will walk through creating the necessary certificate templates and enabling auto-enrolment for clients. In the next part, I will show how to configure SCCM itself and switch your site to HTTPS-only mode.
Why Do We Need Certificates in SCCM?
By default, SCCM communicates over HTTP. While this works, it’s not secure enough for today’s enterprise environments. Moving to HTTPS ensures:
- Secure communication between clients and site systems
- Authentication with certificates instead of just Kerberos
- Compliance with security standards (ISO, CIS, internal audit requirements)
Now let’s prepare the required certificate templates.
Step 1: Create a Workstation Authentication Certificate for Clients
Every SCCM client needs a certificate to prove its identity to site systems. For this, we use a Workstation Authentication certificate.
Open your Certification Authority console and Right-click Certificate Templates → Manage.
Duplicate the Workstation Authentication template.
In the new template : Compatibility: Windows Server 2008 / Windows 7 or higher
Subject Name: Type a suitable name
Security: Give Domain Computers → Enroll + Autoenroll permissions
Publish the template on your CA.
This will allow every domain-joined workstation to automatically receive the right certificate.
Step 2: Create a Certificate Template for Distribution Points (DP)
Distribution Points (DP) in SCCM require a certificate that can be exported with a private key, since you’ll later import it into SCCM.
Duplicate the Computer template.
Configure it as follows:
- Allow private key export enabled
- Enhanced Key Usage (EKU): Server Authentication
- Security: Enroll permissions for your SCCM server(s)
Publish the template.
This certificate will later be used when you configure SCCM Distribution Points for HTTPS.
Step 3: Create a Web Server Certificate Template for SCCM IIS Roles
Roles like the Management Point (MP), Software Update Point (SUP), and Application Catalog rely on IIS. For them, you’ll need a Web Server certificate.
- Duplicate the Web Server template.
- Configure:
- EKU: Server Authentication
- Security: Enroll permissions for SCCM servers
- Publish the template.
Later, you’ll request this certificate on each SCCM server role that uses IIS.
Step 4: Enable Auto-Enrollment for Client Certificates
To make sure clients automatically receive their Workstation Authentication certificate, we need to configure Group Policy auto-enrollment.
Open Group Policy Management.Edit (or create) a GPO linked to the domain.
Go to: Computer Configuration → Policies → Windows Settings → Security Settings → Public Key Policies → Certificate Services Client – Auto-Enrollment
Set the following options:
- Configuration Model: Enabled
- Renew expired certificates
- Update certificates that use templates
With this policy, all domain-joined devices will auto-enroll their certificates without any manual steps.
At this point, you have:
- Workstation Authentication certificates automatically issued to clients
- A reusable certificate template for your SCCM Distribution Points
- A Web Server certificate template for IIS-based roles
These certificates are the foundation for a secure SCCM PKI environment.
