A quick visual guide on deploying a stand-alone Certificate Authority (CA) server for your test lab. This will come handy if you are looking to monitor guest servers deployed in DMZ, Amazon EC2 or anywhere else beyond your domain.

For those who are trying to set up SCOM agents in DMZ or in the Amazon cloud, here is a quick instruction on how to deploy your own Certificate Authority (CA). This is useful for smaller virtual labs, not for production systems. If you are looking to implement a “real” solution, please spend some time with your domain admins, they most likely have a better solution for you.

There are four parts:

  1. Install CA server.

  2. Configure CA server.
  3. Download root CA certificate.
  4. Import CA certificate.

Step 1: Install and Configure Certification Authority (CA) on External Domain Server

  1. Open “Server Manager” console and run “Add Roles” Wizard:
    clip_image002
  2. Check “Active Directory Certificate Services” Role. Click Next:
    clip_image004
  3. On “Role Services” page check “Certification Authority” and “Certification Authority Web Enrollment” services:
    clip_image006
    If wizard asks about installation of additional features – it is OK:
    clip_image008
  4. On “Setup type” page check Standalone option:
    clip_image010
  5. “CA Type” page: check Root CA.
    clip_image012
  6. “Private Key” page: check Create a new private key.
    clip_image014
  7. Leave “Cryptography”, “CA Name”, “Validaty Period”, “Certificate Database”, “WebServer(IIS)”, “Role Services” by default.
  8. Confirm and Finish Installation.

Step 2: Download the Trusted Root (CA) certificate

  1. Open in browser http://<CA server>/certsrv , where <CA server> network name of your CA server.
    clip_image016
  2. Click “Download a CA certificate chain or CRL”.
    clip_image018
  3. Download CA certificate.
    clip_image020

Step 3: Import the Trusted Root (CA) certificate

Note: CA root certificate should be imported on all machines on the DBC (Virtualization Hosts and Management Stack) and on customer’s SCOM RMS.

  1. Doubleclick CA certificate
    clip_image022
  2. Click Install Certificate…
    clip_image024
  3. Click Next. Then Check “Place all certificates in the following store”
    clip_image026
  4. Click Browse. Check “Show physical stores”, browse to “Trusted Root Certification Authorities” and select “Local computer”.
    clip_image028
  5. Finish Wizard and Close Certificate properties window.
    clip_image030

Congratulations, now you have your very own CA server.