This post describes how request a certificate from your CA by using a base-64-encoded CMC and import it. You normally need to do this if you want to establish authentication between SCOM Agent and SCOM Management Server when they located in a foreign non-trusted domains, for instance a DMZ or a cloud-based hosting like Amazon EC2.
This post describes how request a certificate from your CA by using a base-64-encoded CMC and import it. You normally need to do this if you want to establish authentication between SCOM Agent and SCOM Management Server when they located in a foreign non-trusted domains, for instance a DMZ or a cloud-based hosting like Amazon EC2. In this example we assume you have a CA you have access to.
Step 1: Request a certificate from a stand-alone Certification Authority (CA)
For this step we assume the following:
- You have a CA server or use a third-party CA that supports base-64-CMC requests. If you do not, see the links in the end of the post to deploy a CA.
- The certificates are DNS based, so both computer that you are looking to monitor and your DC management stack must be able to resolve each other, so bi-directional DNS resolution is required.
First, you will need to create an .INF file containing your request information to use with the CertReq utility. The file must look as follows:
[NewRequest] Subject="CN=server.company.com" Exportable=TRUE KeyLength=2048 KeySpec=1 KeyUsage=0xf0 MachineKeySet=TRUE [EnhancedKeyUsageExtension] OID=220.127.116.11.18.104.22.168.1 OID=22.214.171.124.126.96.36.199.2
The “server.company.com” is an FQDN of computer you are creating the certificate, for example, the gateway server or management server. Save the file somewhere, for example “C:\Temp\request.inf”.
Next, you will need to run the following command in the command prompt:
CertReq -New -f C:\Temp\request.inf C:\Temp\Request.req
where C:\Temp\request.inf is the file you just created and C:\Temp\Request.req is the new file you want to save request to. The file above contains the data you need to submit to the CA to receive your certificate. For stand-alone CA you can do it as follows:
- Open http://caserver.company.com/certsrv , where caserver.company.com is the network name of CA server.
- Go “Request Certificate” –> “Advanced certificate request” –> “Submit a certificate request by using a base-64-encoded CMC…“.
- Open the C:\Temp\Request.req file you just created with a notepad, copy and paste that text into the text field on the page:
- Now your certificate request has been submitted to the server.
Next you CA needs to approve the CA and send you the certificate file. If you own your CA, you can do it yourself, namely:
- Open a management console on the CA server
- Go to Server Manager –>Active Directory Certificate Services –> Name of your CA server here –> Pending Requests.
- Find your request in the pending requests, right-click it and choose “Issue”:
If you use a third-party CA or CA server is not accessible to you:
- Contact whoever manages the CA server and ask them to try to be useful and issue the certificate. Once the certificate is issued…
- Go to http://caserver.company.com/certsrv (the server you issued requests to, remember?)
- Click “View status of a pending certificate request”
- Select your certificate and click to download the certificate:
TA-DA. The DER file you have received is your certificate.
Step 2: Importing the certificate
Important thing about the certificate: it is tied to the machine where you created the request. So you cannot re-use it on different computers.
To import certificate:
- Run MMC Console(Start – Run – “mmc”) and in menu File select Add/Remove Snap-in.
- Open “Certificates – Local Computer\Personal”, right click on folder and click on “All task/Import…”:
- In the wizard you just opened browse to the certificate file you just downloaded and finish wizard:
- Now you should have your certificate listed:
- Finally run the MOMCertImport utility from SCOM Installation CD (CD\SupportTools\amd64) and install the newly imported certificate:
Now your SCOM agent has a CA-issued certificate it can use to authenticate the communication with the SCOM management servers.
- How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA in Operations Manager 2007 (Technet)
- Step by Step for using Certificates to communicate between agents and the OpsMgr 2007 server (SCOM support team blog)
- Ops Mgr R2 and server 2008 in a gateway scenario (Microsoft System Center by Anders Bengtsson)
- Enterprise CA: How to create a SCOM Certificate template (Thoughts on OpsMgr and System Center 2012)
- Obtaining Certificates for Non-Domain Joined Agents Made Easy With Certificate Generation Wizard (System Center: Operations Manager Engineering Blog)
- How to Configure an HTTPS Binding for a Windows Server 2008 CA (Technet)