Hi We are in process of deploying PXE Point in Native Mode so I read the following articles: 1. http://technet.microsoft.com/en-us/library/bb633147.aspx 2. http://technet.microsoft.com/en-us/library/bb680501.aspx 3. http://technet.microsoft.com/en-us/library/bb632596.aspx 4. http://technet.microsoft.com/en-us/library/bb632961.aspx 5. http://technet.microsoft.com/en-us/library/bb680733.aspx After reading these articles, and considering our SCCM environment which contains the following components: Windows 2003 AD Forest containing the following domain structure: 1. Root Domian 2. Child Domain1 (Child of Root domian) 3. Child Domain2 (Child of Root domain) We are deploying the SCCM in native mode in Child Domain1 (Domain Functional Level is Windows Server 2003), we have all the components involve in the SCCM infra (Windows 2003 Ent. Root CA and it's Subordinate CA, DCs available locally, Windows XP + Windows 2003 + Wikndows 7 + Windows 2008 systems) in Child Domain1. Subordinate CA is being used for issuing Certificates. My queries are: 1. What Certificates other than SCCM Client Certificates are needed specifically for OSD. Ap per my understanding we require the Root CA (not subordinate CA) certificate to be exported using any system and be imported in the SCCM Console on Primary Site Server (Right-Click Site-->Properties-->Site Mode-->Specify Root CA Certificates). Please add if subordinate CA Certificate is also required to be added here. 2. As per the article http://technet.microsoft.com/en-us/library/bb632961.aspx we need to create a separate Certificate using the computer template or the workstation template. We need to specify a unique Subject name or SAN as mentioned in the lines: "Because of this behavior, consider creating the certificate with a unique attribute for identification (such as custom Subject Name or Subject Alternative Name)" What should be the name specified in Subject Name or SAN property of the Certificate. 3. We have the SCCM Site running in Native Mode, can we use OSD to deploy images if we select the option to use Self-signed Certificate during the configuration of PXE Role or do we need a Certificate from our own internal CA for this purpose. 4. At what points in the OSD feature usage we need this Certificate as said in the following lines: "If you are using a PXE service point, import the exported certificate as part of the database configuration properties. If you are creating boot media, import the exported certificate on the Security page of the Task Sequence Media wizard" Regards Taranjeet Singhzamn

I will try answering the questions to the best of my knowledge. You might want to wait for someone else to confirm. 1. Only Root CA certificate and the OSD certificate you mentioned in question 2 are required specifically for OSD. No need for Sub CA certificate. 2. Call it anything else other than a name particular to a client computer. As mentioned, this will be shared by all of your clients. Even OSD PXE Client Certificate will do. 3. You cannot use self-signed certificate if your site is running in native mode. You will need the certificate from your PKI. 4. The OSD client certificate will be used along with the boot file downloaded by the client to authenticate itself to the server that will provide access task sequence. Or in other words, the certificate will be required as soon as the client boots using boot image and requests task sequence information. Mayur

I will try answering the questions to the best of my knowledge. You might want to wait for someone else to confirm. 1. Only Root CA certificate and the OSD certificate you mentioned in question 2 are required specifically for OSD. No need for Sub CA certificate. 2. Call it anything else other than a name particular to a client computer. As mentioned, this will be shared by all of your clients. Even OSD PXE Client Certificate will do. 3. You cannot use self-signed certificate if your site is running in native mode. You will need the certificate from your PKI. 4. The OSD client certificate will be used along with the boot file downloaded by the client to authenticate itself to the server that will provide access task sequence. Or in other words, the certificate will be required as soon as the client boots using boot image and requests task sequence information. Mayur

Thanks Mayur for the answer but still not clear about Point 1 and Point 2: Doubt About Point 1: Since we have a Internal PKI CA Hierarchy containing a Enterprise Root CA and a Enterprise Subordinate CA (both W2K3 Ent SP2). We are using Subordinate CA to issue all other Certificates for SCCM (Site Server, Web Server, & SCCM Client Certificate). Now the Technet article http://technet.microsoft.com/en-us/library/bb632596.aspx says that we need to import Root CA Certificate in the SCCM Console on Primary Site Server (at the following place, Right-Click Site-->Properties-->Site Mode-->Specify Root CA Certificates). My question is (considering our PKI Hierarchy containing Root CA and a Subordinate CA, and Subordinate CA being used for generating SCCM Certificates), do we need to import Root CA Certificate in SCCM Console or need Root CA Certificate as well as Subordinate CA Certificate (both) to be imported in SCCM Console. Doubt About Point 2: As you said we can name this Certificate anything (Call it anything else other than a name particular to a client computer. As mentioned, this will be shared by all of your clients. Even OSD PXE Client Certificate will do). As per my understanding this Certificate would be needed when: a. "You are using a PXE service point, import the exported certificate as part of the database configuration properties" b. "If you are creating boot media, import the exported certificate on the Security page of the Task Sequence Media wizard" >>>If creating this Certificate with any Bogus name (that does not exists - as you suggested), can we then get this Certificate issued to any machine whose name will not match the Subject Name of this Certificate (for the purpose of importing so that we can import it in Database Confriguration properties of the PXE Point). >>>And when this Certificate will be used by OSD clients, the name of the Certificate will not be checked to see if it matches to something like PXE Service Point (may be I am sounding weired - but really no idea about PKI Concepts). >>>I understand (correct me If I am wrong since I am not sure about this) we have to get this Certificate issued with the name of our PXE Service Point (which in our case is hosted separately than Site Server).If this Certificate's name (Subject Name) has to do something with PXE Point's Computer Name? Last 2 points are clear. Thanks for your help. Regards Taranjeet Singh zamn

Thanks Mayur for the answer but still not clear about Point 1 and Point 2: Doubt About Point 1: Since we have a Internal PKI CA Hierarchy containing a Enterprise Root CA and a Enterprise Subordinate CA (both W2K3 Ent SP2). We are using Subordinate CA to issue all other Certificates for SCCM (Site Server, Web Server, & SCCM Client Certificate). Now the Technet article http://technet.microsoft.com/en-us/library/bb632596.aspx says that we need to import Root CA Certificate in the SCCM Console on Primary Site Server (at the following place, Right-Click Site-->Properties-->Site Mode-->Specify Root CA Certificates). My question is (considering our PKI Hierarchy containing Root CA and a Subordinate CA, and Subordinate CA being used for generating SCCM Certificates), do we need to import Root CA Certificate in SCCM Console or need Root CA Certificate as well as Subordinate CA Certificate (both) to be imported in SCCM Console. Doubt About Point 2: As you said we can name this Certificate anything (Call it anything else other than a name particular to a client computer. As mentioned, this will be shared by all of your clients. Even OSD PXE Client Certificate will do). As per my understanding this Certificate would be needed when: a. "You are using a PXE service point, import the exported certificate as part of the database configuration properties" b. "If you are creating boot media, import the exported certificate on the Security page of the Task Sequence Media wizard" >>>If creating this Certificate with any Bogus name (that does not exists - as you suggested), can we then get this Certificate issued to any machine whose name will not match the Subject Name of this Certificate (for the purpose of importing so that we can import it in Database Confriguration properties of the PXE Point). >>>And when this Certificate will be used by OSD clients, the name of the Certificate will not be checked to see if it matches to something like PXE Service Point (may be I am sounding weired - but really no idea about PKI Concepts). >>>I understand (correct me If I am wrong since I am not sure about this) we have to get this Certificate issued with the name of our PXE Service Point (which in our case is hosted separately than Site Server).If this Certificate's name (Subject Name) has to do something with PXE Point's Computer Name? Last 2 points are clear. Thanks for your help. Regards Taranjeet Singh zamn 1. My understanding is that you only need the Root CA certificate. As it reads "Specify Root CA Certificates". (All of your certificates terminate into Root CA certificate. This step only requires you to specify the root CA certificate). It worked well for me. You might want to give it a shot first and then import Sub CA certs if you see any problem. 2. It does not matter what computer account the certificate was issued to as long as the client can present a certificate that matches the certificate on your PXE service point. It does not have to be issued to your PXE server. Both of these steps are very straght forward. See this if your need help.Mayur