This article describes process of obtaqining and installing a digital certificate for OpsMgr agent that is not a member of your AD forest or a trusted forest. This article assumes that your managed computer is running one of the following operating systems:
Target audience is OpsMgr administrators that have limited or no understanding of what certificates are and how PKI works. Described below is not the only way to achieve the same or similar goal but it implements many of PKI Best Practices.
Note: all steps described in Prerequistes section must be completed in both scenarios.
We suppose you already have some version of Microsoft Windows Server Active Directory Certificate Services (AD CS) Certificate Authority (CA) deployed in your environment and your OpsMgr Management Servers already trust this CA. You could also use commercial certificates issued by a third-party CA but in this case some of the steps described below shoud be a little bit different.
First you need to export your CA hierarchy certificates.
Now you need to transfer the above file to each of managed computers and import it as described below.
Certification Authority server is configured as Standalone CA and running one of the following operating systems: Windows Server 2003/2003 R2/2008/2008 R2 Standard, Enterprise or Datacenter edition.
[NewRequest] Subject="CN=<FQDN of managed computer>" KeyLength=2048 KeySpec=1 KeyUsage=0xf0 MachineKeySet=TRUE [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 OID=1.3.6.1.5.5.7.3.2
Note: You should enter the FQDN name of your managed computer into the second line after “=” sign. For non-domain computers, FQDN equals NetBIOS name. Example: Subject="CN=MyWorkGroupPC".
CertReq -New -f path\OpsMgrConfig.inf path\OpsMgr_%computername%.req
Note: you should enter a valid path for INF and REQ files. Request file should not exist yet when you run the command. It is created when you run the command.
Certreq -accept path\%computername%_cert.cer
Note: you should enter a valid path for the certificate file.
If no error are displayed in CMD window proceed to the next step.
MOMCertImport /SubjectName %computername%
Certification Authority server is configured as Enterprise CA and running one of the following operating systems: Windows Server 2003/2003 R2/2008/2008 R2.
Note: Windows Server 2003, Windows Server 2003 R2 and Windows Server 2008 Standard Edition don’t support version 2 templates.
[NewRequest] Subject="CN=<FQDN of managed computer>" KeyLength=2048 KeySpec=1 KeyUsage=0xf0 MachineKeySet=TRUE [RequestAttributes] CertificateTemplate="OpsMgrAgentV2"
Note: You should enter the FQDN name of your managed computer into the second line after “=” sign. For non-domain computers, FQDN equals NetBIOS name. Example: Subject="CN=MyWorkGroupPC".
Note: in CertificateTemplate field you must enter certificate template common name rather display name.
CertReq -New -f path\OpsMgrConfig.inf path\OpsMgr_%computername%.req
Note: you should enter a valid path for INF and REQ files. Request file should not exist when you run the command.
Locate created OpsMgr_%computername%.req file and transfer it back to where you have access to your Certification Authority.
Certreq -accept path\%computername%_cert.cer
Note: you should enter a valid path for the certificate file.
If no error are displayed in CMD window proceed to the next step.
Your template for generating the certificate request is missing the Exportable = True setting. I spent hours trying to figure out what was going wrong. It came down to the request not stating that the public key would be exportable later on. Here is what you should have for a template file:
[NewRequest]
Subject="CN=
If you use my guide, you don't need to create exportable private key. Many (even official) guides assume that certificate request is generated on domain computer or on the CA server. In that case to export you must mark private key as exportable. However my guide requires to generate certificate request on the *target* machine. Therefore you don't need to move private key anywhere and 'Exportable = True' is not necessary.
Hello, Thanks for this great How To. The only question I have is around what server, other than the Gateway, need the cert installed and imported using the MOMCertImport? For example, I have one gateway server, one management server and one RMS. Do I need to install the cert and then use MOMCertImport on the Management server and the RMS? Thanks, Tom
Hello, >need the cert installed and imported using the MOMCertImport? You need the cert installed (and registred with MOMCertImport) on: 1. Gateway 2. Management server(s) that this gateway will communicate 3. Any agent that will communicate with your gateway without _kerberos_ trust (gateway and agent in one forest or in forests that have FULL forest trust). In short: you need certs on BOTH sides of communication channel if you can't use kerberos for this communications. Alexey Zhuravlev
Your solution guide is simply great. Helped me a lot. Thanks, Tezel
Hello, I was able to install the cert on the management server, but I'm not able to install on the Gateway server. Before I start giving specific error message, I wanted to make sure I'm doing it correctly. All of our servers are Windows 2008 R2. My Certificate server and management server are in the same domain... say, Production.com. The gateway server is in the dmz (dmz.com) which does not have a trust setup with Production.com. So my first question: Creating the request file for the gateway server, do I need to run the CertReq -New.... from the gateway server and then transfer this back to the certificate server in the Production.com domain? Thanks, tom
sorry.... wanted to include in my above question we are configured as a Enterprise CA. Thanks, Tom
> Creating the request file for the gateway server, do I need to run the CertReq -New.... from the gateway server and then transfer this back to the certificate server in the Production.com domain? yes, you're correct.
Hi, I need to request a certificate for computer which is not a domain member. Certificate is needed for L2TP VPN. When I run certreq -new based on inf file, i got an error that template is not found.(Template not found. Do you wish to continue anyway?) Where should I run "certreq -new req.inf req.req"? On issuing CA or nonDomain computer? I've used "Prepare certificate request template" and "Create a request file to use with an Enterprise CA" from SCENARIO 2. I have two tier PKI (Offline ROOT CA and Enterprise Issuing subordinate CA). Tnx
if you need to create a request on non-domain machine and that request will be submitted to Enterprise CA you need to confirm error message and proceed. This is expected behavior.
This is really great article, however i am getting similar error message (template not found ) for domain member computer. i followed the steps and create the duplicate template for my opsmanager. could you please advise to fix the issue
Good one Vadims Podāns
Hi,
I have a questions about application policies for the SCOM Agent certificate template. Does-it really need the both policies for the agent, Client Authentication & Server Authentication for SCOM clients? (except the gateway) Can we use only one role ? or two certificates witth each role ?
Regards,
Christophe
@ChristopheB,
You cannot use two certificates, because there is no selector functionality. Agent can register with itself only one certificate. At the time of article writing, it was necessary to have both, Client and Server Authentication EKUs. I haven't tested other configurations with newer versions.
@Vadims,
Thanks for your quick answer, I appreciate it very much. Could you explain me why SCOM need the both agents ? (I don't see informations about it). I understand why the gateway needs the both usages (Gateway is client from Management Server, and Gateway is authenticated scom agents). I don't want to deploy certificates with many usages or limit this deployment. For information, all flows are secured with IPSec policies between DC and members , and each servers must have a certificat with AuthServer for secured WinRM connections and others...
> Could you explain me why SCOM need the both agents ?
you should address this question to OpsMgr/ConfigMgr teams. I have no idea why they require server auth for agents.
Thanks you for your help. I think that Client Authentification is required for sending alerts to Management server and the other usage Server Authentication is required when Management Server push setup packages on clients.
Regards,
Christophe
Post your comment:
Comments: