locked
Can ConfigMgr use publicly trusted certificates? RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Can't find anything on this anywhere so I'm kind of assuming this isn't possible but would be grateful if anyone can confirm or deny this. I have implemented an internal PKI in the past but potentially this could be an easier solution.

    Thanks

    Tuesday, May 24, 2016 5:08 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote
    Yes. PKI certs are PKI certs are PKI certs -- there is no difference based upon who issued them -- except cost, ability to easily deploy them, and ability to easily renew them. These three factors are huge because implementing HTTPS client communication in ConfigMgr requires every client that will be using HTTPS to have its own unique client authentication certificate. As noted, this will get expensive quickly and will be painful to deploy and maintain going forward.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by SJBond Wednesday, May 25, 2016 7:48 AM
    Tuesday, May 24, 2016 7:30 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    Yes. PKI certs are PKI certs are PKI certs -- there is no difference based upon who issued them -- except cost, ability to easily deploy them, and ability to easily renew them. These three factors are huge because implementing HTTPS client communication in ConfigMgr requires every client that will be using HTTPS to have its own unique client authentication certificate. As noted, this will get expensive quickly and will be painful to deploy and maintain going forward.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by SJBond Wednesday, May 25, 2016 7:48 AM
    Tuesday, May 24, 2016 7:30 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thanks Jason. My point that I thought it might not be possible and that it could be an easier solution was mainly down to the fact that the client could potentially automatically trust the publicly-signed certificate, removing the need for the unique client cert. Obviously if that is still a requirement then as you imply, it makes very little sense to do it this way.
    • Edited by SJBond Wednesday, May 25, 2016 7:52 AM
    Wednesday, May 25, 2016 7:51 AM