A couple of semantic corrections first, yes these are minor but saying the wrong thing can have big implications:
- The list at the top looks more like cert templates, not certs. Certs are generated from these templates. - You don't enroll certs, you enroll systems; enrollment is the process of a system getting a cert. On to the questions: - Yes, each site system with a client facing role like the DP, must have its own unique server auth cert (beware that the MP also requires a client auth cert so that it can self-check availability). - Site systems, or more accurately their roles, can listen on either HTTP or HTTPS, not both. The Site itself can allow both, but the actual roles on a site system are restricted to one or the other. Generally, folks will only configure their non-internal serving site roles with HTTPS; that could vary though because of things like Mac support, internal security, etc. J From: [email protected] [mailto:[email protected]] On Behalf Of Brian McDonald Sent: Tuesday, February 18, 2014 2:37 PM To: [email protected] Subject: [mssms] Configuring site systems to use HTTPS My company is in the process of implementing a PKI infrastructure in effort to support IBCM. So, far we have created the following certs: - Workstation Authentication - Workgroup - Web Server - Distribution Point Currently working on enrolling the workstation authentication GPO. The question I have is should I enroll the Web Server cert on all my DPs (e.g. Primary and remote DP)? My curiosity around this is determining whether I should configure my Primary site to use both HTTP/HTTPS communication as well as my DMZ Site System (DP/MP/SUP)? OR should I only have my DMZ Site System Configured for HTTPS communications? Thanks, Brian
