On Thu, Aug 23, 2012 at 11:06 AM, Stephen Wimberly <[email protected]> wrote: > I want to use PKI for SCCM 2012, and it's a nice to have for other servers. > > QUESTION: If I were to purchase a certificate from an outside trusted > vendor like Verisign, could I skip the internal Enterprise server CA > and import the purchased certificate directly to my SCCM server? > > From what I have read so far it looks best to purchase a cert, import > it to your Enterprise CA and then create certificates from the > Enterprise CA but it just sounds redundant. Am I really seeing this > 'right'?
I suspect that won't work. We haven't yet brought up SCCM here, but at least some MSFT products require not only a cert installed on the server, but also a cert installed on the workstation. Even if SCCM doesn't require workstation certs, other stuff will. I'd bite the bullet and put in a proper CA structure, with a root CA (running Win2k8R2 standard, probably as a VM) that is shut down 99+% of the time, and an intermediate CA (running Win2k8 R2 Enterprise), that is always up and running. IMHO, if you're big enough to run SCCM, you're big enough to have a PKI. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
