Resources for IT Professionals >
System Center Configuration Manager Forums
>
Configuration Manager Internet Clients and Native Mode
>
Native Mode
Native Mode
- Hi,
can i use one certificate for webserver (e.g. Managementpoints) in a three tier hierarcy ?
I have one AD Domain, but i haveone Central Site with multiple Primary Sites in there.
Can i also use the same certificate for all my clients ?- Moved byTorsten [MVP]MVPMonday, May 11, 2009 5:00 PMmoved to native mode subforum (From:Configuration Manager Setup/Deployment)
Answers
- i use one certificate for Siteserver per site
- Yes, that's correct. Each site server needs it's own certificate with a string in the certificate Subject that contains its own site code. This can be achieved with a single certificate template that allows you to supply the certificate Subject at request time.
i use one certificate for my Managementpoint, Distributionpoint, Wsus per site
- If these are all on one server, that's correct. If they are on different servers, each server needs its own certificate. It must have the server name (NetBIOS or FQDN) in the certificate Subject (or SAN).
i use one certificate for my ManagedClients per site
- Each client needs a certificate with a unique value in the certificate Subject (or SAN) - which makes this multiple certificates. However, you can achieve this with a single certificate template and the certificate Subject (or SAN) automatically supplied from Active Directory or DNS at request time with a unique value (such as the FQDN of the computer).
i use one certificate (Root) for OS deployment in all sites
- If you have just one CA hierarchy for all your certificates, that's correct.
and for amt i use one certificate per site
- for AMT you need 2 types of certificates per site, although you might purchase the AMT provisioning certificate from an external (3rd party) CA. For the AMT computers you need different certificates because each will have the FQDN of the AMT-based computer but this should be achieved with a single certificate template that is configured with "Supply in the request" (and the site server provides the FQDN of the AMT-based computer). This certificate requires server authentication capability.
If you haven't already seen the step-by-step guides for a test lab, you might find these useful (links in the native mode certificate requirements doc and in the similar document for AMT certificates, http://technet.microsoft.com/en-us/library/cc161874.aspx).
- CarolThis posting is provided “AS IS” with no warranties and confers no rights
- Marked As Answer byDEUFI Tuesday, May 12, 2009 10:58 PM
All Replies
- i dont think so. we recently had to rebuild our system due to some complications. we put it in native mode. i was watching one of the senior network admins figuring out the cert needed. it looked like the cert was site specific. although i may be wrong.
You cannot use a single certificate. Use the following information to work out how many unique certificates you will need for Configuration Manager native mode and the certificate requirements: http://technet.microsoft.com/en-us/library/bb680733.aspx
Reply to this thread if you still have questions.
- CarolThis posting is provided “AS IS” with no warranties and confers no rights
- Ok,
i use one certificate for Siteserver per site
i use one certificate for my Managementpoint, Distributionpoint, Wsus per site
i use one certificate for my ManagedClients per site
i use one certificate (Root) for OS deployment in all sites
and for amt i use one certificate per site
is this right now? - i use one certificate for Siteserver per site
- Yes, that's correct. Each site server needs it's own certificate with a string in the certificate Subject that contains its own site code. This can be achieved with a single certificate template that allows you to supply the certificate Subject at request time.
i use one certificate for my Managementpoint, Distributionpoint, Wsus per site
- If these are all on one server, that's correct. If they are on different servers, each server needs its own certificate. It must have the server name (NetBIOS or FQDN) in the certificate Subject (or SAN).
i use one certificate for my ManagedClients per site
- Each client needs a certificate with a unique value in the certificate Subject (or SAN) - which makes this multiple certificates. However, you can achieve this with a single certificate template and the certificate Subject (or SAN) automatically supplied from Active Directory or DNS at request time with a unique value (such as the FQDN of the computer).
i use one certificate (Root) for OS deployment in all sites
- If you have just one CA hierarchy for all your certificates, that's correct.
and for amt i use one certificate per site
- for AMT you need 2 types of certificates per site, although you might purchase the AMT provisioning certificate from an external (3rd party) CA. For the AMT computers you need different certificates because each will have the FQDN of the AMT-based computer but this should be achieved with a single certificate template that is configured with "Supply in the request" (and the site server provides the FQDN of the AMT-based computer). This certificate requires server authentication capability.
If you haven't already seen the step-by-step guides for a test lab, you might find these useful (links in the native mode certificate requirements doc and in the similar document for AMT certificates, http://technet.microsoft.com/en-us/library/cc161874.aspx).
- CarolThis posting is provided “AS IS” with no warranties and confers no rights
- Marked As Answer byDEUFI Tuesday, May 12, 2009 10:58 PM
