SMS Certificate Management

For more details about these tasks, see Appendix B: Appendix B: SMS Certificate Infrastructure.

Manually Transferring Site Keys

Public/private key pairs are generated at each site server when the sites are set up. The value of the private key is only known by the operating system of the site server. Assuming that the sites are running SMS 2.0 SP5 or later, the sites automatically exchange files during the establishment of a parent/child site relationship.

If you have extended your Active Directory schema and granted SMS permissions to publish to Active Directory, the sites verify their validity by reading the public keys from Active Directory. The serviceBindingInformation attribute of mSSMSSite objects are used to store the public key for each site. The ability to write public keys to Active Directory requires significant rights, so this ensures that the site is not an unauthorized site. This method of key exchange happens automatically, but it requires Active Directory and that the account being used to set up the sites has sufficient rights to write to the Active Directory objects. This method also does not work across forests. If you have a site hierarchy that spans forests, have not extended your Active Directory schema, or have not granted SMS permissions to publish to Active Directory, you must manually transfer the site keys between the parent and child sites.

You manually transfer the keys by running the SMS Preinst.exe tool with the appropriate switches and then copying the generated files while logged on with an administrative account. Table E.1 lists the relevant Preinst.exe switches. Preinst.exe is in the \SMS\bin\i386\<language code> directory on your SMS 2003 or SMS 2.0 SP5 site server.

Table E.1   Preinst.exe Switches for Exchanging Site Keys