Hi Team,

One of our customer have Config manger 2012 R2. They don't have PKI environment and they don't have CA. They want to use Config manager internet Based client management feature for there users. pls. let me know how to go about setting it up keeping in view that they don't have CA. Is it possible to use certificate from external vendor and what are the places we need to place these certificates (MP role, DP roles etc. ) ? any recommendation for external vendor who issues such certificates.  Any suggestions will be appreciated.

Regards,

Possible, yes. Practical, no.

In your list, you've missed the fact that its not just roles that need certs. Each managed client system must have its own unique client auth cert also. This will get very expensive, very quickly and will also be a recurring cost since certs expire. Also, because they are recurring, you will also face a logistic challenge of renewing the certs on the clients every year. As an example, let's say a client auth cert costs $100/year and you are managing 500 systems; that's $50,000 per year. Now, I honestly have no idea what a client auth cert costs, but that's not a cost most folks would want to lay every year for something that they can and should do themselves at very little on-going cost.

Yes, a PKI can be bit challenging to set of and maintain -- not because a PKI in and of itself is difficult but because very few people understand PKI and so many people screw it up -- but the customer will be far better off if they bring in a PKI smart person to set up a robust PKI that will support IBCM as well as other certificate needs they have now and *will* have in the near future.

Hi Jason/Team,

So setting up there CA doesn't necessarily means that customer have to go for full fledge PKI environment? Can they just have there own CA setup and just use it for IBCM? Is it something that is achievable (just have CA certificates for clients that suppose to be IBC)? Any suggestions  or recommendations? As you said, PKI, certificates are something that is not easy to understand most of the time, just wondering if just have it for ibc. Thanks.

Regards,

A CA implies a PKI -- basically that's what it means to have a PKI. What you use that PKI for is up to you/the customer. If you just want to use it for IBCM certs, sure that's fine.

Two points though:

- It would short-sighted to do this as PKIs are becoming increasingly important for many, many different purposes and applications in corporate environments.

- Make sure someone PKI smart designs and implements the PKI. I have seen so many bad implementations simply because the implementer was learning on the fly. This does *not* work as there are multiple decisions to be made that only an experience PKI designer/implementer is equipped to handle. The decision points are difficult or even impossible to reverse.