First published on CloudBlogs on Oct 30, 2017
We have added limited support for Cryptography: Next Generation (CNG) certificates in Update 1710 for System Center Configuration Manager Technical Preview . Now Configuration Manager clients can use PKI client authentication certificate with private key in CNG Key Storage Provider (KSP). With KSP support, Configuration Manager clients can now support hardware based private key such as TPM KSP for PKI client authentication certificate. We made the choice to prioritize some scenarios and this post gives an overview of the scenarios you can use to try CNG certificates and lists the scenarios that are not currently supported.
We have added limited support for Cryptography: Next Generation (CNG) certificates in Update 1710 for System Center Configuration Manager Technical Preview . Now Configuration Manager clients can use PKI client authentication certificate with private key in CNG Key Storage Provider (KSP). With KSP support, Configuration Manager clients can now support hardware based private key such as TPM KSP for PKI client authentication certificate. We made the choice to prioritize some scenarios and this post gives an overview of the scenarios you can use to try CNG certificates and lists the scenarios that are not currently supported.
Supported in 1710 Technical Preview
Beginning with the 1710 Technical Preview you can use certificates created using CNG certificate templates for client-specific scenarios. The following scenarios are supported:- Client registration and communication with a HTTPS management point
- Software distribution and application deployment with a HTTPS distribution point
- Operating system deployment (**see known issue below)
- Cloud Management Gateway configuration
- Client messaging SDK (with a soon to be released update) and ISV Proxy
Not supported for 1710 Technical Preview
- Application Catalog Web service, Application Catalog website, Enrollment point, and Enrollment proxy point roles will not be operational when installed in HTTPS mode with CNG certificate bound to the web site in Internet Information Services (IIS). Software Center will not display applications and packages deployed to user or user group collection as available .
- State Migration Point will not be operational when installed in HTTPS mode with a CNG certificate bound to the web site in IIS.
- Using CNG certificates to create a Cloud Distribution Point is not supported.
- NDES Policy Module to Certificate Registration Point (CRP) communication will fail if the NDES Policy Module is using a CNG certificate for client authentication certificate.
- **Task sequence media creation will fail to create bootable media if a CNG certificate is specified.
Creating CNG certificate templates
You will need to create CNG certificate templates from the Certificate Authority (CA) and the enrolling certificate on the target machines (clients or servers) depending on the purpose and scenario you are testing e.g. client authentication, server authentication, etc.Required certificate template properties (Windows CA):
- Under the Compatibility tab, "Certification Authority" must be at least "Windows Server 2008" (recommended "Windows Server 2012")
- Under the Compatibility tab, "Certificate recipient" must be at least "Windows Vista/Server 2008" (recommended "Windows 8/Windows Server 2012")
- Under the Cryptography tab, make sure the "Provider Categoryā€¯ is "Key Storage Provider"
Published Sep 08, 2018
Version 1.0yvetteomeally
Microsoft
Joined August 30, 2016
Microsoft Security Blog
Follow this blog board to get notified when there's new activity