Jump to content


RS1

Preparing a PKI for Internet Based Client Deployment

Recommended Posts

I implemented a basic SCCM 2007 install for my company quite early on this year and the majority of my learning came from various web-sites and books. I've been asked to replace the system in the first quarter of 2013 and, after Christmas, will begin the necessary research and study to put this into place.

 

However, we've run up against a small snag here and it has become apparant that we'll need to replace our PKI much sooner - perhaps as early as next week.

 

Can anyone advise me please on what sort of design I'd need to be looking at for my PKI so that, when the time comes to implement SCCM 2012, that we're all ready to go?

 

We need to implement an offline root CA and an intermediate CA within our private network. Will we need a third CA in our DMZ for the internet based clients and if so what type?

 

Also, are we OK using Windows Server 2012 for the CA and for the SCCM install or should we be sticking to 2008 R2?

 

Any help here will be appreciated because, as I mentioned, the SCCM install is not something I can dedicate much research time to at the moment as it's not an immediate requirement.

 

Many thanks in advance.

Share this post


Link to post
Share on other sites

I guess I can worry about that nearer the time, once I've done my own research. The key thing is that, when I put the PKI in next week ( focusing primarily on smart cards ) that it's going to allow me to do what I need with SCCM. I can imagine the look on my boss's face if I were to go in and say "Hey, you know that PKI I built before Christmas? Well I need to build a new one now and decommission the old one" He'd outright kill me!

Share this post


Link to post
Share on other sites

All of the machines will be added to the domain at the deployment stage so I can arrange for them to have the certificate fairly quickly. The computers will then go offsite and most of those machines will not come back onto the network again. They go out with our field reps and only come back in when that person leaves the company and the laptop is allocated to another user.

 

That's really what made me think I might need to have a CA in the DMZ, so that the CRLs are available.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.