locked
SCCM + AMT and SHA-2 RRS feed

  • Question

  • Hi There,

    I've been following the MS SCCM  guides on getting certificates set up for DPs and AMT provisioning:

    https://technet.microsoft.com/en-gb/library/gg682023.aspx#BKMK_AMT2008_cm2012

    https://technet.microsoft.com/en-gb/library/gg712319.aspx

    https://technet.microsoft.com/en-us/library/gg699362.aspx

    Key in all of these documents is the requirement that I use the Windows Server 2003 compatible (V2) templates. (it is stated multiple times across all the guides). The trouble is this forces the creation of a certificate using SHA-1, which is now depreciated.

    One of the documents says "we recommend you use SHA-2". So how do we do this while using v2 Templates, or do we no longer need to force v2 templates?

    I post this in an SCCM forum as it is SCCM/AMT that will be consuming these certificates, the folk in Cert Services forum will have no idea what/why the requirements are as they are, and therefore will be unlikely to be able to provide a solution that will work in this specific case.

    Many thanks

    Nick

    Tuesday, August 23, 2016 10:07 AM

Answers

  • No, it doesn't force SHA-1 hashing for the certificate. That is dependent upon how you have your CAs set up. It does force the use of a CSP instead of a KSP though. 

    Also, don't confuse certificate usage for HTTPS client communication with that for AMT. They have two different sets of requirements. AMT integration requires SHA-1 certs -- this is explicitly listed in the third page that you linked. Also, AMT integration has nothing to do with DPs.

    Finally, AMT integration is deprecated and not included in the latest version of ConfigMgr (ConfigMgr CB as of build 1511) so going down this path is more or less of a dead-end anyway.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by Nick B (SNS) Wednesday, August 24, 2016 10:13 AM
    Tuesday, August 23, 2016 3:07 PM

All replies

  • No, it doesn't force SHA-1 hashing for the certificate. That is dependent upon how you have your CAs set up. It does force the use of a CSP instead of a KSP though. 

    Also, don't confuse certificate usage for HTTPS client communication with that for AMT. They have two different sets of requirements. AMT integration requires SHA-1 certs -- this is explicitly listed in the third page that you linked. Also, AMT integration has nothing to do with DPs.

    Finally, AMT integration is deprecated and not included in the latest version of ConfigMgr (ConfigMgr CB as of build 1511) so going down this path is more or less of a dead-end anyway.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by Nick B (SNS) Wednesday, August 24, 2016 10:13 AM
    Tuesday, August 23, 2016 3:07 PM
  • Jason, thanks for this. It clears things up for me.

    It turns out our Enterprise root CA is sha-1 so that is something to look at (oh joy).

    I was conflating the HTTPS client communication and AMT certificates.

    I did not realise that AMT integration was depreciated in SCCM. 

    I'm off down the following rabbit holes now:

     

    Thanks again

    Nick

    Wednesday, August 24, 2016 2:33 PM