RS1 Posted December 3, 2012 Report post Posted December 3, 2012 I implemented a basic SCCM 2007 install for my company quite early on this year and the majority of my learning came from various web-sites and books. I've been asked to replace the system in the first quarter of 2013 and, after Christmas, will begin the necessary research and study to put this into place. However, we've run up against a small snag here and it has become apparant that we'll need to replace our PKI much sooner - perhaps as early as next week. Can anyone advise me please on what sort of design I'd need to be looking at for my PKI so that, when the time comes to implement SCCM 2012, that we're all ready to go? We need to implement an offline root CA and an intermediate CA within our private network. Will we need a third CA in our DMZ for the internet based clients and if so what type? Also, are we OK using Windows Server 2012 for the CA and for the SCCM install or should we be sticking to 2008 R2? Any help here will be appreciated because, as I mentioned, the SCCM install is not something I can dedicate much research time to at the moment as it's not an immediate requirement. Many thanks in advance. Quote Share this post Link to post Share on other sites More sharing options...
Peter van der Woude Posted December 3, 2012 Report post Posted December 3, 2012 No you don't need an CA in your DMZ... and you should be fine with running your CA on Windows Server 2012 and your ConfigMgr on Windows Server 2008 R2. Quote Share this post Link to post Share on other sites More sharing options...
RS1 Posted December 4, 2012 Report post Posted December 4, 2012 Right, so the only thing we require is to have an SCCM server in the DMZ to which the Internet Based Clients can connect? Thanks for your answer. Quote Share this post Link to post Share on other sites More sharing options...
Kingen Posted December 4, 2012 Report post Posted December 4, 2012 I think you only need a Management Point in the DMZ ? Quote Share this post Link to post Share on other sites More sharing options...
RS1 Posted December 4, 2012 Report post Posted December 4, 2012 I guess I can worry about that nearer the time, once I've done my own research. The key thing is that, when I put the PKI in next week ( focusing primarily on smart cards ) that it's going to allow me to do what I need with SCCM. I can imagine the look on my boss's face if I were to go in and say "Hey, you know that PKI I built before Christmas? Well I need to build a new one now and decommission the old one" He'd outright kill me! Quote Share this post Link to post Share on other sites More sharing options...
Peter van der Woude Posted December 4, 2012 Report post Posted December 4, 2012 Keeps him busy. The only thing you need to keep in mind is the deployment of certificates to non-domain machines. They won't get a certificate automatically... Quote Share this post Link to post Share on other sites More sharing options...
RS1 Posted December 5, 2012 Report post Posted December 5, 2012 All of the machines will be added to the domain at the deployment stage so I can arrange for them to have the certificate fairly quickly. The computers will then go offsite and most of those machines will not come back onto the network again. They go out with our field reps and only come back in when that person leaves the company and the laptop is allocated to another user. That's really what made me think I might need to have a CA in the DMZ, so that the CRLs are available. Quote Share this post Link to post Share on other sites More sharing options...
