none
Trusted Root Certification Authorities on site setting -client computer communication tab RRS feed

  • Question

  • On the client computer communications tab under site server properties, does the "Trusted Root Certification Authorities" need to have a Root CA Specified in order to use HTTPS only? 

    1) is that automatically populated when you choose HTTPS only or do you need to set/import a ROOT CA certificate?

    2) should Intermediate CA's be set/imported here too?

    Thanks.

    Tuesday, March 19, 2013 5:53 PM

Answers

  • 1) You must do this. There is no way for ConfigMgr to do this for you.

    2) No. Trust in PKI is defined by root CAs.


    Jason | http://blog.configmgrftw.com

    Tuesday, March 19, 2013 6:38 PM
  • You don't need to add a trusted root certification authority in the ConfigMgr console unless you're doing PXE with HTTPS. If you do add this, the client will only select certificates for authentication that are issued through that trusted root certification authority so this is something you need to keep in mind.

    Also, whatever certificate you add however must be a root -- not intermediate -- certificate. If the client has a certificate issued by an intermediate CA, it will verify trust up through to the root CA specified in the admin console.

    Wednesday, March 20, 2013 6:32 PM

All replies

  • 1) You must do this. There is no way for ConfigMgr to do this for you.

    2) No. Trust in PKI is defined by root CAs.


    Jason | http://blog.configmgrftw.com

    Tuesday, March 19, 2013 6:38 PM
  • You don't need to add a trusted root certification authority in the ConfigMgr console unless you're doing PXE with HTTPS. If you do add this, the client will only select certificates for authentication that are issued through that trusted root certification authority so this is something you need to keep in mind.

    Also, whatever certificate you add however must be a root -- not intermediate -- certificate. If the client has a certificate issued by an intermediate CA, it will verify trust up through to the root CA specified in the admin console.

    Wednesday, March 20, 2013 6:32 PM