none
3rd Party Cert

    Question

  • Can you use an external 3rd Party CA (i.e. comodo) for Native Mode certificates in SCCM 2007? 
    Monday, January 12, 2009 4:27 PM

Answers

  • Yes, as Matthew confirmed, you can use public (external) CAs for any or all of your native mode certificates because native mode is PKI-agnostic, supporting version 3 of the x.509 certificate format.  It might be impractical to use public CAs for many computers (each native mode client computer must have a unique certificate) but it is technically possible.  I know that some customers have used a public CA to deploy client certificates for a handful of computers that are on the Internet, and their internal CA for the remaining certificates.

    Identify the certificates that you need from the public CA and use the Certificate Requirements topic (http://technet.microsoft.com/en-us/library/bb680733.aspx) to gather the information you need to give to them - using the columns Certificate Use and Specific Information in the Certificate.  This is where the OID numbers come in use, because these uniquely identify the certificate capability in a format that will be understood by all PKI vendors.

    The CA company will provide their own instructions for requesting and installing the certificates that you need, and usually this involves connecting to their own Web site and filling out their own forms - so exact instructions will differ between companies.  They might also support a standard certificate request file that you can create using Windows certificate tools. 

    It's common practice to use the Subject Alternative Name field (SAN2) when the computer from which you're making the request is not the computer that will be using the certificate - which will often be the case when you're using an online Web form to request a certificate for a server.  This helps to keep track of which computer requested the certificate (so you know which computer to install the certificate on when it is issued, to match up the private/public key pair) and which computer will be actually using it after it is exported.  If the public CA requires you to use a SAN, native mode clients and the site systems running IIS all work with SANs - it doesn't matter whether the value it requires is in the Subject or SAN.  However, the site server signing certificate is a little different because the site code string *must* be in the certificate Subject.  You can specify whatever you want in the SAN if this is required by the public CA, but native mode requires the site code string in the certificate Subject.


    - Carol

    This posting is provided “AS IS” with no warranties and confers no rights.


    Wednesday, January 14, 2009 3:04 PM

All replies

  • Yes, I know of an admin that used a GoDaddy cert for their site.  If I recall you need to modify the SAN2 of the cert at request time.
    I will see if I can contact him and get the info. 


    http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com
    Tuesday, January 13, 2009 2:34 AM
  • Wwhile I wait for my contact read up on what Carol wrote.  This is a nice detail set of info on native mode and 3rd party CAs.


    http://social.technet.microsoft.com/Forums/en-US/configmgrsetup/thread/7d4e5da3-dd7b-4875-8bff-cd92812f7c52/
    http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com
    Tuesday, January 13, 2009 4:02 PM
  • Yes, as Matthew confirmed, you can use public (external) CAs for any or all of your native mode certificates because native mode is PKI-agnostic, supporting version 3 of the x.509 certificate format.  It might be impractical to use public CAs for many computers (each native mode client computer must have a unique certificate) but it is technically possible.  I know that some customers have used a public CA to deploy client certificates for a handful of computers that are on the Internet, and their internal CA for the remaining certificates.

    Identify the certificates that you need from the public CA and use the Certificate Requirements topic (http://technet.microsoft.com/en-us/library/bb680733.aspx) to gather the information you need to give to them - using the columns Certificate Use and Specific Information in the Certificate.  This is where the OID numbers come in use, because these uniquely identify the certificate capability in a format that will be understood by all PKI vendors.

    The CA company will provide their own instructions for requesting and installing the certificates that you need, and usually this involves connecting to their own Web site and filling out their own forms - so exact instructions will differ between companies.  They might also support a standard certificate request file that you can create using Windows certificate tools. 

    It's common practice to use the Subject Alternative Name field (SAN2) when the computer from which you're making the request is not the computer that will be using the certificate - which will often be the case when you're using an online Web form to request a certificate for a server.  This helps to keep track of which computer requested the certificate (so you know which computer to install the certificate on when it is issued, to match up the private/public key pair) and which computer will be actually using it after it is exported.  If the public CA requires you to use a SAN, native mode clients and the site systems running IIS all work with SANs - it doesn't matter whether the value it requires is in the Subject or SAN.  However, the site server signing certificate is a little different because the site code string *must* be in the certificate Subject.  You can specify whatever you want in the SAN if this is required by the public CA, but native mode requires the site code string in the certificate Subject.


    - Carol

    This posting is provided “AS IS” with no warranties and confers no rights.


    Wednesday, January 14, 2009 3:04 PM