BTW: Plan your PKI appropriately. There's a patch available now that requires strong keys, but won't be mandatory for a bit.
http://myitforum.com/myitforumwp/2012/08/15/update-to-the-update-that-could-harm-your-system-center-environment-if-youre-not-ready/ -----Original Message----- From: Michael B. Smith [mailto:[email protected]] Sent: Thursday, August 23, 2012 6:00 PM To: NT System Admin Issues Subject: RE: PKI big picture? Eh, SCOM wants a cert more than SCCM does. IME. But I still agree with your conclusion. -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Thursday, August 23, 2012 3:18 PM To: NT System Admin Issues Subject: Re: PKI big picture? On Thu, Aug 23, 2012 at 11:06 AM, Stephen Wimberly <[email protected]> wrote: > I want to use PKI for SCCM 2012, and it's a nice to have for other servers. > > QUESTION: If I were to purchase a certificate from an outside trusted > vendor like Verisign, could I skip the internal Enterprise server CA > and import the purchased certificate directly to my SCCM server? > > From what I have read so far it looks best to purchase a cert, import > it to your Enterprise CA and then create certificates from the > Enterprise CA but it just sounds redundant. Am I really seeing this > 'right'? I suspect that won't work. We haven't yet brought up SCCM here, but at least some MSFT products require not only a cert installed on the server, but also a cert installed on the workstation. Even if SCCM doesn't require workstation certs, other stuff will. I'd bite the bullet and put in a proper CA structure, with a root CA (running Win2k8R2 standard, probably as a VM) that is shut down 99+% of the time, and an intermediate CA (running Win2k8 R2 Enterprise), that is always up and running. IMHO, if you're big enough to run SCCM, you're big enough to have a PKI. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
