SCCM Training part 4

Topic:  SCCM HTTPS, IBCM, CloudDP, and Cloud Management Gateway

https://docs.microsoft.com/en-us/sccm/core/plan-design/network/example-deployment-of-pki-certificates

https://docs.microsoft.com/en-us/sccm/core/plan-design/network/pki-certificate-requirements

https://docs.microsoft.com/en-us/sccm/core/clients/manage/setup-cloud-management-gateway

https://blogs.technet.microsoft.com/arnabm/2016/12/19/step-by-step-cloud-management-gateway/

https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/install-cloud-based-distribution-points-in-microsoft-azure

Questions: do you have to reinstall client after IBCM.  Answer:  Yes

SCCM Training–Part 3

Followed this guide and built an Azure Dev Test Lab – https://www.verboon.info/2017/02/deploying-configmgr-current-branch-in-azure-dev-test-lab/

Another great link for lab environments: https://technet.microsoft.com/en-us/windows/mt604890.aspx

Good link from Brian Mason on OCSP! Do it!!

https://arstechnica.com/information-technology/2017/07/https-certificate-revocation-is-broken-and-its-time-for-some-new-tools/

Save this link for the rest of your life!!! Perfect step by step on setting up a two tier PKI environment and the OSSP.

I would provide more notes, but honestly the link has it all.

https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx

The one thing I would change is the CAPolicy.inf files the guide references.

The Offline RootCA should look like this:

Signature=”$Windows NT$”

[Certsrv_Server]

RenewalKeyLength=4096

RenewalValidityPeriod=Years

RenewalValidityPeriodUnits=20

AlternateSignatureAlgorithm=0

The other stuff they have in the guide is meant more for internet based PKI, which you are not doing.

I would install the Offline RootCA as follows:

On the offline root machine install ADCS – Certificate Authority

Standalone CA

Root CA

Configure new Private Key

RSA@Microsoft Software Key Storage Provider

SHA2

Key length 4096

Name of CA: azEmptyGardenRootCA

Validity period- 20 Years

Database location- default

RootCA Post Installation

Certutil -setreg CA\DSConfigDN “CN=Configuration,DC=azEmptyGarden,DC=BTLS”

Certutil -setreg CA\CRLPeriodUnits 6

Certutil -setreg CA\CRLPeriod “Months”

Certutil -setreg CA\CRLDeltaPeriodUnits 0

Certutil -setreg CA\CRLOverlapPeriodUnits 12

Certutil -setreg CA\CRLOverlapPeriod “Hours”

Certutil -setreg CA\ValidityPeriodUnits 20

Certutil -setreg CA\ValidityPeriod “Years”

NOTE: The CRLPeriod of 6 months means that the Offline RootCA needs to be booted up once every six months to copy the latest CRL to the SubordinateCA

Subordinate CA – CAPolicy.inf file

[Version]

Signature=”$Windows NT$”

[Certsrv_Server]

RenewalKeyLength=4096

RenewalValidityPeriod=Years

RenewalValidityPeriodUnits=10

LoadDefaultTemplates=0

AlternateSignatureAlgorithm=0

Subordinate CA – CAPolicy.inf file

[Version]

Signature=”$Windows NT$”

[Certsrv_Server]

RenewalKeyLength=4096

RenewalValidityPeriod=Years

RenewalValidityPeriodUnits=10

LoadDefaultTemplates=0

AlternateSignatureAlgorithm=0

Subordinate CA install

Install ADCS – This will be the Subordinate CA

Certification Authority only

Configure the Certification Authority

Enterprise CA

Subordinate CA

Create a new private key

Key length: 4096

azEmptyGardenIssuingCA