This post describes how request a certificate from your CA by using a base-64-encoded CMC and import it. You normally need to do this if you want to establish authentication between SCOM Agent and SCOM Management Server when they located in a foreign non-trusted domains, for instance a DMZ or a cloud-based hosting like Amazon EC2.

This post describes how request a certificate from your CA by using a base-64-encoded CMC and import it. You normally need to do this if you want to establish authentication between SCOM Agent and SCOM Management Server when they located in a foreign non-trusted domains, for instance a DMZ or a cloud-based hosting like Amazon EC2. In this example we assume you have a CA you have access to.

Step 1: Request a certificate from a stand-alone Certification Authority (CA)

For this step we assume the following:

  • You have a CA server or use a third-party CA that supports base-64-CMC requests. If you do not, see the links in the end of the post to deploy a CA.
  • The certificates are DNS based, so both computer that you are looking to monitor and your DC management stack must be able to resolve each other, so bi-directional DNS resolution is required.

First, you will need to create an .INF file containing your request information to use with the CertReq utility. The file must look as follows:

[NewRequest]
Subject="CN=server.company.com"
Exportable=TRUE
KeyLength=2048
KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2 

The “server.company.com” is an FQDN of computer you are creating the certificate, for example, the gateway server or management server. Save the file somewhere, for example “C:\Temp\request.inf”.

Next, you will need to run the following command in the command prompt:

CertReq -New -f C:\Temp\request.inf C:\Temp\Request.req

where C:\Temp\request.inf is the file you just created and C:\Temp\Request.req is the new file you want to save request to. The file above contains the data you need to submit to the CA to receive your certificate. For stand-alone CA you can do it as follows:

  • Open http://caserver.company.com/certsrv , where caserver.company.com is the network name of CA server.
  • Go “Request Certificate” –> “Advanced certificate request” –> “Submit a certificate request by using a base-64-encoded CMC…“.
  • Open the C:\Temp\Request.req file you just created with a notepad, copy and paste that text into the text field on the page:
    imageimage
  • Now your certificate request has been submitted to the server.

Next you CA needs to approve the CA and send you the certificate file. If you own your CA, you can do it yourself, namely:

  • Open a management console on the CA server
  • Go to Server Manager –>Active Directory Certificate Services –> Name of your CA server here –> Pending Requests.
  • Find your request in the pending requests, right-click it and choose “Issue”:
    image

If you use a third-party CA or CA server is not accessible to you:

  • Contact whoever manages the CA server and ask them to try to be useful and issue the certificate. Once the certificate is issued…
  • Go to http://caserver.company.com/certsrv (the server you issued requests to, remember?)
  • Click “View status of a pending certificate request”
  • Select your certificate and click to download the certificate:
    image

TA-DA. The DER file you have received is your certificate.

Step 2: Importing the certificate

Important thing about the certificate: it is tied to the machine where you created the request. So you cannot re-use it on different computers.

To import certificate:

  • Run MMC Console(Start – Run – “mmc”) and in menu File select Add/Remove Snap-in.

    clip_image002

  • Select in Available Snap-ins “Certificates” and add it for “Computer account”:
    clip_image004[4]

    clip_image006[4]

  • Open “Certificates – Local Computer\Personal”, right click on folder and click on “All task/Import…”:
    image
  • In the wizard you just opened browse to the certificate file you just downloaded and finish wizard:
    image
  • Now you should have your certificate listed:
    image
  • Finally run the MOMCertImport utility from SCOM Installation CD (CD\SupportTools\amd64) and install the newly imported certificate:
    image

Now your SCOM agent has a CA-issued certificate it can use to authenticate the communication with the SCOM management servers.

Useful links