Microsoft

System Center Configuration Manager Feedback

How can we improve Configuration Manager?

Support V3 and newer certificate templates for HTTPS mode

Hi,

PKI- Make V3 Template compatible with SCCM Current Branch.

67 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Bharat ChandBharat Chand shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    15 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • ARENEARENE commented  ·   ·  Flag as inappropriate

        Hello,
        Will it be possible to use in the future CNG API instead of Crypto API for next version?
        Thank you

      • Anonymous commented  ·   ·  Flag as inappropriate

        Please enable use of the V3 templates with SCCM Current Branch. Requiring the V2 templates just creates more work when the certificates have to be renewed.

      • Bharat ChandBharat Chand commented  ·   ·  Flag as inappropriate

        Hi CM Product Team,

        I am not sure why you want to hold this back and not moving to v3 template or rather v4 template. you guys making progress with SCCM current Branch but on PKI end you still lacking way behind and there is news somewhere in August 2017 you will making V3 Template compatible with SCCM

      • MartinMartin commented  ·   ·  Flag as inappropriate

        I did a search but did check for V3 templates but yes...

        Configuration Manager support for Cryptography Next Generation (CNG)

        When will Configuration Manager support Cryptography Next Generation (CNG) which is referred to as a Windows 2008 Template in Windows Certificate Authority??

        So switch from Cryptographic Services Provider (CSP) to Cryptography Next Generation (CNG)

        SHA-1 now being deprecated and SHA-2 just around the corner, my organization just let me know that it's easier to use a Windows 2008 Template for SHA-2 then do PKI modification in order to let the 2003 template to issue template with SHA-2. But SCCM does not support CNG...

      • MartinMartin commented  ·   ·  Flag as inappropriate

        Configuration Manager support for Cryptography Next Generation (CNG)

        When will Configuration Manager support Cryptography Next Generation (CNG) which is referred to as a Windows 2008 Template in Windows Certificate Authority??

        So switch from Cryptographic Services Provider (CSP) to Cryptography Next Generation (CNG)

        SHA-1 now being deprecated and SHA-2 just around the corner, my organization just let me know that it's easier to use a Windows 2008 Template for SHA-2 then do PKI modification in order to let the 2003 template to issue template with SHA-2. But SCCM does not support CNG...

      • Eric MullinaxEric Mullinax commented  ·   ·  Flag as inappropriate

        Please update to support V3 templates. V3 templates came out with Server 2008, nearly a decade ago. Catch up to modern times so we can have more up-to-date encryption standards!

      • Michael CramerMichael Cramer commented  ·   ·  Flag as inappropriate

        As Microsoft moves forward with device-specific MFA (Windows Hello for Business), SCCM should be updated to support Version 4 Certificate Templates to enable the use of the the "Microsoft Platform Cryptographic Provider" generated certificates. This would enable us to move away from DPAPI-protected keys and use hardware-backed keys, significantly enhancing the security of TLS usage.

      • Michael CramerMichael Cramer commented  ·   ·  Flag as inappropriate

        John,

        I believe that this is a bit of a misconception over the versioning. When deploying a "v2 Template", it's an X.509v3 certificate and the versioning is a Microsoft-specific Template thing (supporting how the key is generated, which cryptographic providers are available, etc.)

      • John KochummanJohn Kochumman commented  ·   ·  Flag as inappropriate

        The SCCM service need to support industry standard x509v3 certificate versions instead of requiring v2 certificates. HyperLink "https://technet.microsoft.com/en-us/library/gg699362.aspx". No standard certificate provider service or tools are able to generate v2 certificates. Also a concern with the Corporate security group in using antiquated certificate standards, and being prevented from using x509v3 extensions.

      Feedback and Knowledge Base