How To Create a Certificate for a PXE Service Point in ConfigMgr 2007

Written by Kip Ng, Principal Microsoft Premier Field Engineer

Most companies that I come across run System Center Configuration Manager (ConfigMgr) 2007 mixed mode especially when they do not have any Internet-based clients. Of course, there are some companies who choose to use Native mode because of security requirements.  One thing about using Native mode is there’s heavy usage of certificates which can be a little overwhelming for some new ConfigMgr administrators. Also, the help files don’t exactly provide step by step instructions in some situations. Configuring the ConfigMgr PXE service point’s certificate is one of those tasks.

If you look at the help file, you will find the following:

Specify whether the PXE service point will create a self-signed certificate or if the certificate will be imported by the user. If you are in an environment that requires the PXE service point to create a self-signed certificate, you must set the expiration date in the space provided. In native mode environments the self-signed certificate option is not available and you must import a certificate from a trusted root certification authority.

So in this post I’m going to highlight a couple of steps you can take to create a certificate template that is specifically meant for this purpose and then create a certificate for the ConfigMgr PXE Service. You can also use an existing certificate template if you have one. We need a certificate template that allows us to export the private key as well.  Here are the steps:

PART 1: On the Certificate Authority

1. Open Certificate Template Console

a. Firstly, go to your Certificate Authority

b. Right click at the Certificate Template

c. Then select Manage

Certificate Template Console

2. Create a new Certificate Template

a. You will then see the Certificate Template Console opened.

b. Find the Workstation Authentication template. This template is good enough because we really only need Client Authentication.

c. Right click on that template and then select Duplicate Template

d. If you are prompted to choose if this template is for Windows Server 2003 Enterprise or Windows Server 2008 Enterprise, choose Windows Server 2003 Enterprise.

e. You will then be prompted for the Properties of the New Template. You will see the following:

Certificate Template

3. Configure Properties of New Template

a. General Tab

i. Template display name: ConfigMgr PXE Certificate

ii. Template name: ConfigMgrPXECertificate

b. Request Handling Tab

i. Check Allow Private Key to be exported

c. Subject Name Tab

i. Select Supply in the request

d. Issuance Requirement Tab

i. Check CA certificate manager approval

Then click OK to create the new Template.

4. Enable Certificate Template to Issue

a. Next, go back to the Certificate Authority Management console,

b. This time, instead of selecting Manage on the Certificate Template, select New à Certificate Template to Issue

New Certificate Template to Issue

c. Then select the new certificate template, which is ConfigMgr PXE Certificate

PART 2: On the ConfigMgr Server

With the certificate template created and available, the next thing we need to do is to request the certificate from the CA server. Here are the steps,

1. Request the ConfigMgr PXE Service Point certificate

a. Open Notepad (or any text editor) and copy and paste the following text into the file:


Subject = "CN=ConfigMgr PXE Certificate"

MachineKeySet = True

Exportable = True


CertificateTemplate = ConfigMgrPXECertificate

b. Save the file as ConfigMgrPXECertificate.inf

c. Open a command window in the certificates folder that you created, type the following command, and then press Enter:

certreq –new ConfigMgrPXECertificate.inf ConfigMgrPXECertificate.req


2. Submit the request to the CA

a. Type the following command, and then press Enter:

certreq –submit ConfigMgrPXECertificate.req ConfigMgrPXECertificate.cer

b. You are prompted to select the issuing CA in the Select Certification Authority dialog box. Select the CA, and then click OK. When the certificate is issued, you see RequestId: <number> displayed, where <number> is the next sequential certificate request to the issuing CA. Make a note of this number.

3. Approve the Certificate on the Certificate Authority

a. On the Certificate Authority Management Console, in Certification Authority, click Pending Requests.

b. In the results pane, you will see the requested certificate with the Request ID that was displayed with the last Certreq command.

c. Right-click the requested certificate, click All Tasks, and then click Issue.

d. Do not close the Certification Authority console.

4. Installing the Certificate

a. On the member server, in the command window, type the following command, and then press Enter:

certreq –retrieve <number> ConfigMgrPXECertificate.cer

b. For example, if the request number previously displayed was 12, type: certreq –retrieve 12 ConfigMgrPXECertificate.cer

c. You are prompted to select the issuing CA in the Select Certification Authority dialog box. Select the CA, and then click OK. Click OK to overwrite the existing file.

d. Type the following command, and then press Enter:

certreq –accept ConfigMgrPXECertificate.cer

5. Export the Certificate

a. Next, you can export the certificate by opening the Local Computer certificate management console and then click on the Details tab and click Copy to File:

Export the Certificate

b. And follow the wizard, ensure you choose “Yes, export the private key” option when asked.

With this, you will have the certificate (*.PFX) that you can use to be imported and used by the ConfigMgr PXE Service Point.

ConfigMgr PXE Service Point Properties

Hope you find this useful.

Comments (2)

  1. EliotIrons says:

    Followed all of the steps but when it comes to Copy to File, the only options are for the very top 3 choices DER, Base-64, and Cryptographic. Any idea what I could have done wrong?

  2. TristanK says:

    Hi Eliot – chances are you didn't mark the private key as exportable (Template properties, 3.b.i. above). If the private key can be exported, PFX is an export option.

Skip to main content