We'll be implementing both once I have my new VMware environment up and running.
I needed our PKI to start with for Direct Acces/UAG, and now it's also in use for Lync, and soon our 8021.X wireless, and, well, I'm sure there's more to come. Terribly useful, all told. Kurt On Thu, Aug 23, 2012 at 2:59 PM, Michael B. Smith <[email protected]> wrote: > Eh, SCOM wants a cert more than SCCM does. IME. > > But I still agree with your conclusion. > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] > Sent: Thursday, August 23, 2012 3:18 PM > To: NT System Admin Issues > Subject: Re: PKI big picture? > > On Thu, Aug 23, 2012 at 11:06 AM, Stephen Wimberly > <[email protected]> wrote: >> I want to use PKI for SCCM 2012, and it's a nice to have for other servers. >> >> QUESTION: If I were to purchase a certificate from an outside trusted >> vendor like Verisign, could I skip the internal Enterprise server CA >> and import the purchased certificate directly to my SCCM server? >> >> From what I have read so far it looks best to purchase a cert, import >> it to your Enterprise CA and then create certificates from the >> Enterprise CA but it just sounds redundant. Am I really seeing this >> 'right'? > > I suspect that won't work. We haven't yet brought up SCCM here, but at > least some MSFT products require not only a cert installed on the > server, but also a cert installed on the workstation. Even if SCCM > doesn't require workstation certs, other stuff will. > > I'd bite the bullet and put in a proper CA structure, with a root CA > (running Win2k8R2 standard, probably as a VM) that is shut down 99+% > of the time, and an intermediate CA (running Win2k8 R2 Enterprise), > that is always up and running. > > IMHO, if you're big enough to run SCCM, you're big enough to have a PKI. > > Kurt > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
