- You will want to get the cert for "mycompanyinternalname.corp" as that is the domain the machines will be part of.
- The -domainName will be the domain only. Not the ProvisionServer name.
Let me know if you have any other questions.
Our admin who handles purchasing certificates said that the .corp is an invalid domain and that he could not get a cert from Comodo with that.
Is there some form of DNS trickery that I'll need to do to get this to work with mycompanyexternalname.com? An alias of some form?
You can have the cert issued for your top level domain, then use DHCP Option 15 to specify the domain the vPro will need to use when provisioning machines. This is technically theory, and I have only done limited tests with it in my lab. However I am able to successfully provision machines with certs from other domains using this method.
We to are in a situation like this. We are worried that if we change DHCP 15 to reflect our external domain of unattended consequences. For examples, would printers pick up this new domain suffix and quit working? Has anyone run into anything like that or am I just being overly paranoid?
Our DHCP masters are not willing to change option 15, so we are stuck with internalcompanyname.corp and only being able to get a 3rd party cert for externalcompanyname.com.
Could we set up a DNS alias so that when the client boots AMT to provision, the request of provisionserver.internalcompanyname.corp can be resolved by DNS and passed along to provisionserver.externalcompanyname.com?
We just tried changing our dhcp option from our existing .world domain suffice to one that matches our internet .com suffix. We let that propagate for over an hour. The windows looked good, but when we started checking mac and linux based systems is where we started to see problems. After a reboot, those boxes picked up the new .com domain suffix but couldn't ping anything that still had a .world suffix. I am guessing that this has something to do with domain search order, but I am not sure as I am not a DNS expert in the slightest.
It took some badgering, but I was finally able to get our certificate guys to work with Comodo to issue a vPro cert with our internal domain. This will only be valid for a year, but that should be plenty of time to get our machines provisioned.
Since internally named certs will be revoked next fall, vendors make it difficult to get one. Or, at least they did for us. It took a special request.