Purpose:

To help others take what I have done and use for their own environment with modifications or to improve upon what I have done for others to use in the future. Use at own risk.

Problem:

We were moving to a new PKI environment with new CA and SubCAs. We needed to update our certificates on our SCCM/MEM infrastructure servers. This included client authentication, distribution point, management point, and software update point certificates. Our environment had 80+ DPs, 2 MPs, and 1 Primary Site Server.

Solution:

WinRM was already enabled. We pushed the new Root CA and SubCA to the infrastructure servers using GPO then created a few scripts to automate the needed tasks to update the certificates. This included the certificate request, export, IIS binding, and importing the certificate into the console for DPs. This took our change/update tasks from multiple hours to change over to ~45 min and almost all of which was just script runtime and just monitoring the console output.

Scripts:

Script 1 – Enable CredSSP on infrastructure servers

Script 2 – Certificate request, export, and bind IIS certificate

Script 3 – Import DP certificate into the console.

Modifications:

All areas that need to be modified are in “< >” symbols

Script 2

1. Production - Line 6, 9, 15, 21, 33

2. Testing - Line 97-103

3. Error/Resume - Line 116

Script 3

1. Production - Line 45, 50