My understanding is that you're likely looking at a high five figure to mid six figure annual cost to have your CA signed so you are issuing publicly trusted certs as you describe. If this is something you want to do, you need to hire a consultant to help you - there's a ton of work involved.
I think SCCM expects a trusted cert on each device for the Internet client scenario so that's why you need the internal PKI infrastructure. Thanks, Brian Desmond [email protected] w - 312.625.1438 | c - 312.731.3132 -----Original Message----- From: Stephen Wimberly [mailto:[email protected]] Sent: Thursday, August 23, 2012 1:06 PM To: NT System Admin Issues Subject: PKI big picture? I want to use PKI for SCCM 2012, and it's a nice to have for other servers. QUESTION: If I were to purchase a certificate from an outside trusted vendor like Verisign, could I skip the internal Enterprise server CA and import the purchased certificate directly to my SCCM server? >From what I have read so far it looks best to purchase a cert, import it to >your Enterprise CA and then create certificates from the Enterprise CA but it >just sounds redundant. Am I really seeing this 'right'? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
