none
SCCM PKI Migration RRS feed

  • Question

  • Hi

    We are changing our PKI infrastructure and as such we need to recreate/enroll the SCCM certificates.

    It seems that SCCM can handle only one certificate so when we change, the clients have a client cert that is comming from another root.

    If we make sure that the clients and SCCM trust both PKI roots and subordinates/issuers, would it be a problem that client and sccm certs are not emitted by the same root or do we need to do a big bang?

    Managing the client side is fairly straightforward by disabling the template on the current PKI and enabling the template on the new PKI. This would allow autoenroll to make sure that clients have a second cert from the new pki. After this is done we could change the SCCM certificate.

    But my question remains, what is the exact prerequisite for the certificates on both clients and SCCM side. Do they need to come from the same PKI or if they trust both PKIs would that also work?

    Thanks

    Jan


    jgs

    Tuesday, May 21, 2019 4:12 PM

Answers

  • It seems that SCCM can handle only one certificate 

    This is not correct. Multiple roots can be added and client certificate selection can also be influenced by the settings on the Client Communication tab of the site's configuration.

    If we make sure that the clients and SCCM trust both PKI roots and subordinates/issuers, would it be a problem that client and sccm certs are not emitted by the same root

    Trust is trust. Any certificate trusted by all parties can be used.

    Do they need to come from the same PKI or if they trust both PKIs would that also work?

    No, as long as the cert is trusted, it can be used.


    Jason | https://home.configmgrftw.com | @jasonsandys

    • Proposed as answer by Richard.Knight Tuesday, May 21, 2019 4:29 PM
    • Marked as answer by JanG_ Tuesday, May 21, 2019 4:30 PM
    Tuesday, May 21, 2019 4:24 PM

All replies

  • It seems that SCCM can handle only one certificate 

    This is not correct. Multiple roots can be added and client certificate selection can also be influenced by the settings on the Client Communication tab of the site's configuration.

    If we make sure that the clients and SCCM trust both PKI roots and subordinates/issuers, would it be a problem that client and sccm certs are not emitted by the same root

    Trust is trust. Any certificate trusted by all parties can be used.

    Do they need to come from the same PKI or if they trust both PKIs would that also work?

    No, as long as the cert is trusted, it can be used.


    Jason | https://home.configmgrftw.com | @jasonsandys

    • Proposed as answer by Richard.Knight Tuesday, May 21, 2019 4:29 PM
    • Marked as answer by JanG_ Tuesday, May 21, 2019 4:30 PM
    Tuesday, May 21, 2019 4:24 PM
  • Thanks!

    We'll test

    greatly appreciated your swift response


    jgs

    Tuesday, May 21, 2019 4:30 PM