I use PKI based labs to test various scenarios from Microsoft. I’ve multiple SCCM (Configuration Manager) labs that are running in HTTPS only mode (PKI) using a two tier PKI infratstructure (Offline Root CA, Issuing CA).
Using multiple labs usually means only one lab is online at a time, and as certs expire regularly, an offline lab can mean expired certs. You’ll first notice issues if you do OSD regularly as it depends on a healthy PKI infrastructure.
If you have expired certs, PXE boot will not work. In this video I show that problem, reveal the expired certificates on the IssuingCA and show you how I fix it.
Setting up PKI
I’ve created multiple guides to help you setup PKI in your LAB and to integrate it with SCCM. You can review them below.
- Part 1 – Introduction and server setup
- Part 2 – Install and do initial configuration on the Standalone Offline Root CA
- Part 3 – Prepare the HTTP Web server for CDP and AIA Publication
- Part 4 – Post configuration on the Standalone Offline Root CA
- Part 5 – Installing the Enterprise Issuing CA
- Part 6 – Perform post installation tasks on the Issuing CA
- Part 7 – Install and configure the OCSP Responder role service
- Part 8 – Configure AutoEnroll and Verify PKI health
- How can I configure System Center Configuration Manager in HTTPS mode (PKI) – Part 1
- How can I configure System Center Configuration Manager in HTTPS mode (PKI) – Part 2