Always use the Manage Server Certificate wizard in the SEPM console to update, or generate a new server certificate. Using the wizard updates settings and files that may be missed by manual methods.
Follow any organizational or governmental requirements for key usage, and ensure you use a minimum 2048 bit SHA256RSA key. The larger the key used, the more difficult it is to brute force, but larger keys take significantly longer to generate, and require more CPU time.
The SEPM uses a 2048 bit SHA256RSA keypair by default and supports keys up to 8192 bits.
When replacing the built in self-signed certificate on your manager with a Certificate Authority (CA) signed certificate, work with your Certificate Authority (CA) to generate a new, CA signed certificate with your organization's information instead of exporting a Certificate Signing Request (CSR) from the default self-signed certificate. Be sure you are aware of any organizational or compliancy requirements governing the use of certificates in your environment before generating a CA signed certificate. Some common questions you should be able to answer before generating your certificate(s) are:
Are there any specific requirements regarding private key length?
Are there any specific requirements regarding signature algorithms?
Are there any specific requirements regarding signature key algorithms?
Can the Common Name (CN) field contain wildcards (*)?
Can certificates contain IP addresses in the CN field, or as Subject Alternative Name (SAN) entries?
Can certificates be signed by intermediary Certificate Authorities (CAs)?
Are certificates required to be cross-signed?
Imported Document ID: TECH212432
Subscribing will provide email updates when this Article is updated. Login is required.