Interesting and expensive. Remember, it's a recurring cost (as I pointed out).
J From: [email protected] [mailto:[email protected]] On Behalf Of John M Sent: Tuesday, January 28, 2014 2:21 PM To: [email protected] Subject: RE: [mssms] Implement SCCM 2012 encryption with 3rd party CA? This is the option we're exploring. The auto-enrollment feature has to be supported through the 3rd party CA or it's a non-starter for us. It does appear that Globalsign does have such a capability, but we have yet to get an estimate for the cost. ________________________________ From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] Implement SCCM 2012 encryption with 3rd party CA? Date: Tue, 28 Jan 2014 20:14:56 +0000 With the PKI gateway from some of the vendors, you can enable auto-enrollment. Christopher Catlett Consultant | Detroit [MCTS_2013_small] Sogeti USA Office 248-876-9738 |Fax 877.406.9647 26957 Northwestern Highway, Suite 130, Southfield, MI 48033-8456 www.us.sogeti.com<http://www.us.sogeti.com/> From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Jason Sandys Sent: Tuesday, January 28, 2014 2:46 PM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] Implement SCCM 2012 encryption with 3rd party CA? Not with certs purchased from a third-party (which is the main reason for this thread although I didn't state that in my answer). For certs issued using a Microsoft Enterprise PKI and a GPO with auto-enrollment and auto-renew enabled, yes. J From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of John M Sent: Tuesday, January 28, 2014 1:34 PM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] Implement SCCM 2012 encryption with 3rd party CA? Correct me if I'm wrong but wouldn't the client enrollment through the GPO cause the clients to automatically renew the cert when it expires? ________________________________ From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] Implement SCCM 2012 encryption with 3rd party CA? Date: Tue, 28 Jan 2014 19:08:10 +0000 Also remember that the unique client cert per computer is not perpetual, you would have to repurchase all of those certs every year so it's even more expensive than you think. And how are you going to get the renewed certs out to clients? As for 8.1 managed via the Intune connector, be careful, it's not full management. You cannot do things like manage SCEP or push updates. J From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Lindenfeld, Ivan Sent: Tuesday, January 28, 2014 11:13 AM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] Implement SCCM 2012 encryption with 3rd party CA? The expense of the client certs made us pause. The project is not dead, but since you need a unique client cert per computer on the internet, it's expensive. My understanding is that the clients will NOT auto-enroll you will need to deploy an SCCM client and unique cert by hand to each internet computer. Too bad SCCM/Intune only lets you manage Windows 8.1 desktops on the internet. Ivan Lindenfeld Fidelity National Financial Jacksonville, Florida From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of John M Sent: Tuesday, January 28, 2014 11:58 AM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] Implement SCCM 2012 encryption with 3rd party CA? We use Globalsign, so far they are being helpful, but it's almost like I'm the first one to have ever asked for this. > From: > [email protected]<mailto:[email protected]> > To: [email protected]<mailto:[email protected]> > Subject: RE: [mssms] Implement SCCM 2012 encryption with 3rd party CA? > Date: Tue, 28 Jan 2014 16:45:50 +0000 > > A few companies to "managed" PKI for client certs. > > http://www.symantec.com/verisign/managed-pki-service > > http://www.digicert.com/managed-pki-ssl.htm?gclid=CN_ChtuoobwCFeg-MgodJC8A9A > > https://www.globalsign.com/enterprise-pki/ > > > Christopher Catlett > Consultant | Detroit > > > Sogeti USA > Office 248-876-9738 |Fax 877.406.9647 > 26957 Northwestern Highway, Suite 130, Southfield, MI 48033-8456 > www.us.sogeti.com<http://www.us.sogeti.com> > > -----Original Message----- > From: [email protected]<mailto:[email protected]> > [mailto:[email protected]] On Behalf Of Dzikowski, Michael > Sent: Tuesday, January 28, 2014 11:26 AM > To: [email protected]<mailto:[email protected]> > Subject: RE: [mssms] Implement SCCM 2012 encryption with 3rd party CA? > > 3rd party could be expensive for client certs... > > -----Original Message----- > From: [email protected]<mailto:[email protected]> > [mailto:[email protected]] On Behalf Of John > Sent: Tuesday, January 28, 2014 11:03 AM > To: [email protected]<mailto:[email protected]> > Subject: [mssms] Implement SCCM 2012 encryption with 3rd party CA? > > Hi All, > We are looking to set up a PKI to enable encryption in the SCCM 2012 > environment, but unfortunately, we do not have a local CA. We use a 3rd party > (GlobalSign) for our certificates, however, I'm not convinced they can > provide the client certificates. Has anyone else managed to get this working > with an external CA? I really need to know if this won't work and we're just > chasing our tails. Essentially, my concern is this: > When we set up a local CA to issue certificates, we do it by creating a > template and allowing the clients to auto-enroll for the certificate, if we > have a 3rd party CA, how does that mechanism work, if at all? > > Thanks in advance > > John > > > > > > > > > > > > >
<<inline: image001.jpg>>
