question

KadeWilliams-9468 avatar image
0 Votes"
KadeWilliams-9468 asked KadeWilliams-9468 answered

Can SSCM issue cert to client on another domain?

Domain A has a Root CA and SubCA. Domain B does not have a CA. Both domains are on a local network. Is it possible for SCCM in Domain A to issue a cert to a client machine in Domain B? Would this require that Domain B have it's own Subordinate CA that uses Domain A's Root CA? Is there a way to perform this process without Domain B having a CA?

windows-serverwindows-server-security
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Are these domains part of same AD forest or not?

Is it possible for SCCM in Domain A to issue a cert to a client

SCCM does not issue certificates to clients.

0 Votes 0 ·

No, they are not part of the same forest.

Here's the situation. I'm in Domain B and I actually do have a general Root CA and Subordinate CA. The SCCM team from Domain A is saying that we need to create a second Sub CA in Domain B for their use only. They want this done so they can issue certificates with the same chain as their Domain A CA.

I don't understand why they need this. Can't the SCCM team just add the Domain B's current CA and Sub CA to the SCCM server certificate store?

0 Votes 0 ·
Crypt32 avatar image Crypt32 KadeWilliams-9468 ·

I think, it would be easier to deploy a subordinate CA in Domain B. However, it may be not very practical either depending if Domain B clients can reach CDP/AIA (CRLs) endpoints. If they can't, then it would be more reasonable for Domain B to have their own CA tree.

Can't the SCCM team just add the Domain B's current CA and Sub CA to the SCCM server certificate store?

no, because they most likely need to issue SCCM client authentication certificates for non-domain machines. As I said, SCCM does not issue certificates, they need to have a CA.

Either way, you both (you and SCCM team) need to have a clear understanding what you need and then depending on your exact needs you will have to evaluate your existing CA configurations (especially, CDP and AIA endpoints), AD forest trusts and only then you can define an acceptable solution. Currently, the description is vague and too many unknown inputs.

0 Votes 0 ·

1 Answer

KadeWilliams-9468 avatar image
0 Votes"
KadeWilliams-9468 answered

Thank you for your help. I finally had a meeting with the SCCM team and figured out that they were wanting to create and deploy certificates with a GPO on my domain. I'm guessing it's the "Public Key Policies" setting. I need to verify that. That would be set to create certificates using this secondary subordinate CA.

I found a guide for setting up cross-forest certificate enrollment and was going to analyze that:
https://social.technet.microsoft.com/wiki/contents/articles/14715.test-lab-guide-mini-module-cross-forest-certificate-enrollment-using-certificate-enrollment-web-services.aspx

If that doesn't seem like a good option, I'll do what you said and examine CDP/AIA endpoints.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.