Question is in the title but to restate: is it possible to have multiple certificate thumbprints defined in the Local configuration of a node?
The scenario is basically not unlike ADFS: being able to decode from multiple certs makes it easier to transition nodes without interruption when certs are about to expire: I can add a newly issued certificate and the existing mof will continue to run while I go and trigger the build-bot to generate new mofs (or even just wait for said bot to trigger on it’s schedule and let the cert age out).
But I can’t find any documentation to support if this is even possible. If not … off to the feedback forum I guess…
Larger picture for those currious:
- Using Microsoft PKI with templates to auto issue-renew computer certificates.
- We already have a provisioning script that looks for the computer cert with the latest expiration date and copies it into a folder for the build-bots to use during mof generation.
- These certs expire (suprise), so we are looking into automated options for “flipping” the certs over … but have to deal with a “delta period” between certs being changed and the next mof generation cycle.
Now I could “flip the script” and have the build-bot “reach out” and update each node after a direct scan but , as you could imagine, that scales very poorly. But then I’m left with that delta problem.