Jay Paloma's Tech and Music Blog

Sometimes, this writer can no longer distinguish between the two.

Posts Tagged ‘Certificate Authority

2017: The Year that SHA1 Gets Deprecated

leave a comment »

Hello all! Wishing everyone an advanced Happy New Year greetings! And what’s so special about 2017? Quite a number of vendors are deprecating SHA1! So if your job involves managing your company’s CA, then I sincerely hope you managed to have gotten rid of all your SHA1 certs.



jay paloma  |  05 dec 2016  |  manila


Written by jpaloma

December 5, 2016 at 5:23 PM

Implementing HTTPS on Configuration Manager 2012 R2 – Certificates

leave a comment »

Here are some of first-hand experience insights on implementing HTTPS on Configuration Manager R2

You require 3 certificate templates:

  • Server Authentication Certificate. This is your standard SSL certificate template, but bear in mind that the Reporting Services Point has a requirement that could be easily overlooked: its Alternate Subject should use the DNS format instead of the default Fully Distinguished Name format. Since the DNS naming does not contradict with any other SCCM requirements, better make sure that your Alternate Subject Name follows the DNS name format so you could use this same template when you implement HTTPS on RSP. This certificate is used on all your MPs, DPs, SUPs, RSPs, and even Application Catalog if you also covered all other FQDN options for your Application Catalog Server.
  • Client Authentication Certificate. This is the client certificate that you will issue on all your clients.
  • Client Authentication Certificate with an Exportable Private Key. Once you convert your DP to HTTPS, you will be asked for a .pfx file. This template is used to create the certificate that you will eventually export out as .pfx file. Don’t use the Client Authentication Certificate above, because you give this one the ability to export out the private key. You don’t want to have all those rogue, exported client certificates.

Windows Server Update Services (WSUS) / Software Update Point (SUP). Note that the TCP ports in use by WSUS is different (HTTP is TCP 8530, HTTPS is TCP 8531). The minor snag in WSUS/SUP is that you cannot enforce SSL all the way, and that HTTPS imposes an additional 10% performance degradation on your machine. Chances are, this SUP is also your DP and MP, so be aware.

SQL Server Reporting Services (SSRS) / Reporting Services Point (RSP). Special requirement for RSP Certificate template. See “Server Authentication Certificate” above.

Written by jpaloma

November 7, 2015 at 5:28 PM