This article describes process of obtaqining and installing a digital certificate for OpsMgr agent that is not a member of your AD forest or a trusted forest. This article assumes that your managed computer is running one of the following operating systems:

  • Windows 2000
  • Windows XP
  • Windows Vista
  • Windows 7
  • Windows 8/8.1
  • Windows 10
  • Windows 2000 Server
  • Windows Server 2003 (including R2)
  • Windows Server 2008 (including R2 and Server Core)
  • Windows Server 2012 (including R2 and Server Core)

 Target audience is OpsMgr administrators that have limited or no understanding of what certificates are and how PKI works. Described below is not the only way to achieve the same or similar goal but it implements many of PKI Best Practices.

In this article

Prerequisites

Note: all steps described in Prerequistes section must be completed in both scenarios.

↑ Back to the top

Existing Certification Authority (CA)

We suppose you already have some version of Microsoft Windows Server Active Directory Certificate Services (AD CS) Certificate Authority (CA) deployed in your environment and your OpsMgr Management Servers already trust this CA. You could also use commercial certificates issued by a third-party CA but in this case some of the steps described below shoud be a little bit different.

↑ Back to the top

Export Certificates of CA Hierarchy

First you need to export your CA hierarchy certificates.

  1. Log on to the computer that acts as Issuing CA with CA administrator permissions.
  2. On the Windows desktop, click Start, click Administrative Tools and click Certification Authority. If User Account Control is enabled, enter required account credentials or just click Yes on consent window.
  3. In the Certification Authority window select certification authority name, click Action and then click Properties.
  4. In the Certification Authority Properties window click View Certificate button.
  5. In the Certificate properties window switch to Details tab and click Copy to file… button.
  6. In the Welcome to the Certificate Export Wizard click Next button.
  7. In the Export file format window select the following options:
    1. Cryptographic Message Syntax Standard — PKCS #7 Certificates,
    2. Select Include all certificates in the certification path if possible
      and click Next button.
  8. In the File to export window specify path and file name for certificate chain, for example, TrustedCA.p7b, and click Next button.
  9. In the Completing the Certificate Export Wizard window review your export settings. If these are correct, click Finish button.
  10. If export is successfull you will see success confirmation pop-up window. Close it by pressing Ok button and close Certification Authority snap-in.

↑ Back to the top

Distribute Certificates of CA Hierarchy

Now you need to transfer the above file to each of managed computers and import it as described below.

  1. Log on to the managed computer with local Adminsitrator priveleges.
  2. On the Windows desktop, click Start, and then click Run.
  3. In the Run dialog box, type mmc, and then click OK. If User Account Control is enabled, enter local Administrator password or just press Yes on consent window.
  4. In the Console1 window, click File, and then click Add/Remove Snap-in.
  5. In the Add/Remove Snap-in dialog box, click Add.
  6. In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.
  7. In the Certificates snap-in dialog box, select Computer account, and then click Next.
  8. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish.
  9. In the Add Standalone Snap-in dialog box, click Close.
  10. In the Add/Remove Snap-in dialog box, click OK.
  11. In the Console1 window, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.
  12. Right-click Certificates, select All Tasks, and then click Import.
  13. In the Certificate Import Wizard, click Next.
  14. On the File to Import page, click Browse and select the location where you downloaded the CA certificates file, for example, TrustedCA.p7b, select the file, and then click Open.
  15. On the File to Import page, select Place all certificates in the following store and ensure that Trusted Root Certification Authorities appears in the Certificate store box, and then click Next.
  16. On the Completing the Certificate Import Wizard page, click Finish.
  17. Close MMC console window.

↑ Back to the top

Scenario 1

Certification Authority server is configured as Standalone CA and running one of the following operating systems: Windows Server 2003/2003 R2/2008/2008 R2 Standard, Enterprise or Datacenter edition.

↑ Back to the top

Prepare certificate request template

  1. Log on to the managed comuter with local Administrator privileges.
  2. Click Start, and then click All Programs, Accessories, and then click Notepad.
  3. Paste the following into the notepad window:
[NewRequest]
Subject="CN=<FQDN of managed computer>"
KeyLength=2048
KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2

Note: You should enter the FQDN name of your managed computer into the second line after “=” sign. For non-domain computers, FQDN equals NetBIOS name. Example: Subject="CN=MyWorkGroupPC".

  1. Save the file with an .inf file name extension, for example OpsMgrConfig.inf.
    Note: It is a common mistake to create the file in Notepad and save the file as OpsMgrConfig.inf.txt. To prevent this, change the file type to All Files from the default of Text Documents (*.txt).
  2. Close Notepad.

↑ Back to the top

Create a request file to use with an Standalone Certification Authority

  1. Click Start, click All Programs, Accessories and then click Command Prompt.
    Note: If User Account Control is enabled run Command Prompt window by choosing Run as Administrator command from the shortcut’s context menu. If prompted enter local Administrator password or just press Yes on consent prompt.
  2. In the Command Prompt window run the following command:
CertReq -New -f path\OpsMgrConfig.inf path\OpsMgr_%computername%.req

Note: you should enter a valid path for INF and REQ files. Request file should not exist yet when you run the command. It is created when you run the command.

  1. Type Exit in Command Prompt window and press Enter.
  2. Locate created OpsMgr_%computername%.req file and transfer it back to your Certification Authority.

↑ Back to the top

Submit a request file to Standalone Cetrtification Authority

  1. Log on to the computer that acts as a Issuing Standalone Certification Authority with Certification Authority administrator or Certification Authority manager priveleges.
  2. On the Windows desktop, click Start, Administrative Tools and click Certification Authority. If User Account Control is enabled, enter required account password or just click Yes on consent window.
  3. In the Certification Authority window select certification authority name, click Action, click All Tasks and then click Submit a new request.
  4. In the Open request file window locate request file and click Open.
    Note: The request file is the one with .REQ file name extension you prepared on the pervious step.
  5. Now this request is waiting for approval. In the same console expand your CA name and select Pending Requests. Locate the request you submitted (typically it should be the only pending request). Click Action, All Tasks and click Issue.
  6. If request is issued Save Certificate window will appear. Save certificate to a file, for example ManagedComputerName_cert.cer file.
  7. Close Certification Authority snap-in.
  8. Transfer this file back to the managed computer.

↑ Back to the top

Install issued certificate to managed computer

  1. Log on to the managed comuter with local Administrator permissions.
  2. Click Start, click All Programs, Accessories and then click Command Prompt.
    Note: If User Account Control is enabled run Command Prompt window by choosing Run as Administrator command from the shortcut’s context menu. If prompted enter local Administrator password or just press Yes on consent prompt.
  3. In the Command Prompt window run the following command:
    Certreq -accept path\%computername%_cert.cer

Note: you should enter a valid path for the certificate file.

If no error are displayed in CMD window proceed to the next step.

↑ Back to the top

Import certificates using MOMCertImport

  1. At the command prompt, type <drive_letter>: (where <drive_letter> is the drive where the Operations Manager 2007 installation media is located. E.g. type “d:” without quotes), and then press ENTER.
  2. Type cd \SupportTools\i386 and then press ENTER.
    Note: On 64-bit computers, type cd \SupportTools\amd64
  3. Run the following command:
    MOMCertImport /SubjectName %computername%
  4. If command returns successful status, type Exit to close Command Prompt window.

↑ Back to the top

Scenario 2

Certification Authority server is configured as Enterprise CA and running one of the following operating systems: Windows Server 2003/2003 R2/2008/2008 R2.

Note: Windows Server 2003, Windows Server 2003 R2 and Windows Server 2008 Standard Edition don’t support version 2 templates.

↑ Back to the top

Prepare certificate template

  1. Log on to the computer that acts as an Issuing Enterprise Certification Authority with Enterprise Admin privileges.
  2. On the Windows desktop, click Start, and then click Run.
  3. In the Run dialog box type mmc, and then click OK. If User Account Control is enabled, enter required account credentials or just click Yes on consent window.
  4. In the Console1 window, click File, and then click Add/Remove Snap-in.
  5. In the Add/Remove Snap-in dialog box, click Add.
  6. In the Add Standalone Snap-in dialog box, click Certificate Templates.
  7. In the Certificate Templates window locate the temlate named Computer.
  8. Click Action and then click Duplicate Template. If prompted, select Windows Server 2003, Enterprise Edition.
  9. In Properties of New Template window in General tab specify new template name. For example, OpsMgrAgentV2.
  10. Switch to Subject Name tab and select Supply in the request.
  11. Switch to Security tab.
  12. Add a custom global or universal group that contains Certification Authority managers or Certification Authority administrators, and assign the group Read and Enroll permissions.
  13. Click Apply and then click Ok to save changes to new template and close Certificate Templates window.

↑ Back to the top

Add new template to Issuing Enterprise CA

  1. Log on to the computer that acts as Issuing Enterprise CA with Certification Authority administrator permissions.
  2. On the Windows desktop, click Start, click Administrative Tools and click Certification Authority. If User Account Control is enabled, enter required account credentials or just click Yes on consent window.
  3. Expand your Certification Authority name and select Certificate Templates.
  4. In the Certificate Templates click Action, New and Certificate template to issue.
  5. In the Enable Certificate Templates window locate custom template (in our example this is OpsMgrAgentV2) and click Ok.

↑ Back to the top

Prepare certificate request template

  1. Log on to the managed comuter with local Administrator privileges.
  2. Click Start, and then click Run.
  3. In the Run dialog box, type Notepad, and then click OK.
  4. Paste the following into the notepad window:
[NewRequest]
Subject="CN=<FQDN of managed computer>"
KeyLength=2048
KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE
[RequestAttributes]
CertificateTemplate="OpsMgrAgentV2"

Note: You should enter the FQDN name of your managed computer into the second line after “=” sign. For non-domain computers, FQDN equals NetBIOS name. Example: Subject="CN=MyWorkGroupPC".

Note: in CertificateTemplate field you must enter certificate template common name rather display name.

  1. Save the file with an .inf file name extension, for example OpsMgrConfig.inf.
    Note: It is a common mistake to create the file in Notepad and save the file as OpsMgrConfig.inf.txt. To prevent this, change the file type to All Files from the default of Text Documents (*.txt).
  2. Close Notepad.

↑ Back to the top

Create a request file to use with an Enterprise CA

  1. Click Start, click All Programs, Accessories and then click Command Prompt.
    Note: If User Account Control is enabled run Command Prompt window by right-clicking on CMD icon and pressing Run as Administrator. If prompted enter local Administrator password or just press Yes on consent prompt.
  2. In the Command Prompt window run the following command:
CertReq -New -f path\OpsMgrConfig.inf path\OpsMgr_%computername%.req

Note: you should enter a valid path for INF and REQ files. Request file should not exist when you run the command.

  1. Type exit to close Command Prompt window.

Locate created OpsMgr_%computername%.req file and transfer it back to where you have access to your Certification Authority.

↑ Back to the top

Submit a request file to Enterprise Cetrtification Authority

  1. Log on to the computer that acts as an Issuing Enterprise Certification Authority with Certification Authority administrator or Certification Authority manager permissions.
  2. On the Windows desktop, click Start, click Administrative Tools and click Certification Authority. If User Account Control is enabled, enter required account credentials or just click Yes on consent window.
  3. In the Certification Authority window select Certification Authority name, click Action, click All Tasks and then click Submit a new request.
  4. In the Open request file window locate OpsMgr_ManagedComputerName.req file and click Open.
  5. By default Enterprise Certification Authority immediately issue or deny supplied request.
  6. If request is issued Save Certificate window will appear. Save certificate to a file, for example ManagedComputerName_cert.cer file.
  7. Close Certification Authority snap-in.
  8. Transfer this file back to the managed computer.

↑ Back to the top

Install issued certificate to managed computer

  1. Log on to the managed comuter with local Administrator permissions.
  2. Click Start, click All Programs, Accessories and then click Command Prompt.
    Note: If User Account Control is enabled run Command Prompt window by choosing Run as Administrator command from the shortcut’s context menu. If prompted enter local Administrator password or just press Yes on consent prompt.
  3. In the Command Prompt window run the following command:
    Certreq -accept path\%computername%_cert.cer

Note: you should enter a valid path for the certificate file.

If no error are displayed in CMD window proceed to the next step.

↑ Back to the top

Import certificates using MOMCertImport

  1. Click Start, click All Programs, Accessories and then click Command Prompt.
    Note: If User Account Control is enabled run Command Prompt window by choosing Run as Administrator command from the shortcut’s context menu. If prompted enter local Administrator password or just press Yes on consent prompt.
  2. At the Command Prompt, type <drive_letter>: (where <drive_letter> is the drive where the Operations Manager 2007 installation media is located. E.g. type “d:” without quotes), and then press ENTER.
  3. Type cd \SupportTools\i386 and then press ENTER.
    Note: On 64-bit computers, type cd \SupportTools\amd64
  4. run the following command:
    MOMCertImport /SubjectName %computername%
  5. If command returns successful status type Exit to close Command Prompt window.

↑ Back to the top


Share this article:

Comments:

Unknown Identity

Your template for generating the certificate request is missing the Exportable = True setting. I spent hours trying to figure out what was going wrong. It came down to the request not stating that the public key would be exportable later on. Here is what you should have for a template file: [NewRequest] Subject="CN=" Exportable=TRUE KeyLength=2048 KeySpec=1 KeyUsage=0xf0 MachineKeySet=TRUE [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 OID=1.3.6.1.5.5.7.3.2

Unknown Identity

If you use my guide, you don't need to create exportable private key. Many (even official) guides assume that certificate request is generated on domain computer or on the CA server. In that case to export you must mark private key as exportable. However my guide requires to generate certificate request on the *target* machine. Therefore you don't need to move private key anywhere and 'Exportable = True' is not necessary.

Unknown Identity

Hello, Thanks for this great How To. The only question I have is around what server, other than the Gateway, need the cert installed and imported using the MOMCertImport? For example, I have one gateway server, one management server and one RMS. Do I need to install the cert and then use MOMCertImport on the Management server and the RMS? Thanks, Tom

Unknown Identity

Hello, >need the cert installed and imported using the MOMCertImport? You need the cert installed (and registred with MOMCertImport) on: 1. Gateway 2. Management server(s) that this gateway will communicate 3. Any agent that will communicate with your gateway without _kerberos_ trust (gateway and agent in one forest or in forests that have FULL forest trust). In short: you need certs on BOTH sides of communication channel if you can't use kerberos for this communications. Alexey Zhuravlev

Unknown Identity

Your solution guide is simply great. Helped me a lot. Thanks, Tezel

Unknown Identity

Hello, I was able to install the cert on the management server, but I'm not able to install on the Gateway server. Before I start giving specific error message, I wanted to make sure I'm doing it correctly. All of our servers are Windows 2008 R2. My Certificate server and management server are in the same domain... say, Production.com. The gateway server is in the dmz (dmz.com) which does not have a trust setup with Production.com. So my first question: Creating the request file for the gateway server, do I need to run the CertReq -New.... from the gateway server and then transfer this back to the certificate server in the Production.com domain? Thanks, tom

Unknown Identity

sorry.... wanted to include in my above question we are configured as a Enterprise CA. Thanks, Tom

Unknown Identity

> Creating the request file for the gateway server, do I need to run the CertReq -New.... from the gateway server and then transfer this back to the certificate server in the Production.com domain? yes, you're correct.

Kojo

Hi, I need to request a certificate for computer which is not a domain member. Certificate is needed for L2TP VPN. When I run certreq -new based on inf file, i got an error that template is not found.(Template not found. Do you wish to continue anyway?) Where should I run "certreq -new req.inf req.req"? On issuing CA or nonDomain computer? I've used "Prepare certificate request template" and "Create a request file to use with an Enterprise CA" from SCENARIO 2. I have two tier PKI (Offline ROOT CA and Enterprise Issuing subordinate CA). Tnx

Vadims Podans

if you need to create a request on non-domain machine and that request will be submitted to Enterprise CA you need to confirm error message and proceed. This is expected behavior.

Rajamuthu

This is really great article, however i am getting similar error message (template not found ) for domain member computer. i followed the steps and create the duplicate template for my opsmanager. could you please advise to fix the issue

Roody

Good one Vadims Podāns

ChristopheB

Hi,

I have a questions about application policies for the SCOM Agent certificate template. Does-it really need the both policies for the agent, Client Authentication & Server Authentication for SCOM clients? (except the gateway) Can we use only one role ? or two certificates witth each role ?

Regards,

Christophe

Vadims Podāns

@ChristopheB,

You cannot use two certificates, because there is no selector functionality. Agent can register with itself only one certificate. At the time of article writing, it was necessary to have both, Client and Server Authentication EKUs. I haven't tested other configurations with newer versions.

ChristopheB

@Vadims,

Thanks for your quick answer, I appreciate it very much. Could you explain me why SCOM need the both agents ? (I don't see informations about it). I understand why the gateway needs the both usages (Gateway is client from Management Server, and Gateway is authenticated scom agents). I don't want to deploy certificates with many usages or limit this deployment. For information, all flows are secured with IPSec policies between DC and members , and each servers must have a certificat with AuthServer for secured WinRM connections and others...

Vadims Podāns

> Could you explain me why SCOM need the both agents ?

you should address this question to OpsMgr/ConfigMgr teams. I have no idea why they require server auth for agents.

ChristopheB

Thanks you for your help. I think that Client Authentification is required for sending alerts to Management server and the other usage Server Authentication is required when Management Server push setup packages on clients.

Regards,

Christophe


Post your comment:

Please, solve this little equation and enter result below. Captcha