question

JamesyWamesy-8896 avatar image
0 Votes"
JamesyWamesy-8896 asked JamesyWamesy-8896 answered

PKI cert renewal. what is required in SCCM?

I will be renewing the certs our two tier PKI certificate in the next month as the offline rot CA cert expires soon. I have built a list of all systems where we need to update manually issues cert or where the new CA cert will need to be added to replace the existing.
Our SCCM environment has a primary site server with distribution pointed dotted around our branch offices and an external DP on our DMZ for remote workers. I'd like to know if (besides what I have outlined below) ss there anywhere else on SCCM that could possibly require an update to the certificate services post renewal?

So far what I can see is:

  • The primary site server has a copy of the CA cert to validate clients that communicate and will need the new CA cert added here.

  • The branch DPs do not require any certs to be updated as they communicate with the site server and clients over http

  • The external DP does use https and requires a manual certificate and key presented via the primary site server.

Thanks in advance.



mem-cm-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesyWamesy-8896 avatar image
0 Votes"
JamesyWamesy-8896 answered

Hi Jason-MSFT,

Thanks for the reply. I know that every cert will need to be replaced which s what this project is managing. This was just one of those systems that I have on a list that we can't just run re-enroll certificate holders on or issue a command to update via certutil and on which I want to make sure we have not missed anywhere within that a cert might need managed.

The link you sent is very helpful. I will go through it and compare with the components of our SCCM we have enabled and make sure we update accordingly.

Thanks again.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered Jason-MSFT edited

If your CA certs are expiring, then every cert issued from these CAs is also expiring so you need to reissue every single cert. Without knowing your site's complete configuration, there's no way to enumerate what all of those certs are however the list of possibilities is part of the official docs at https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/network/pki-certificate-requirements.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.