>need the cert installed and imported using the MOMCertImport?
You need the cert installed (and registred with MOMCertImport) on:
2. Management server(s) that this gateway will communicate
3. Any agent that will communicate with your gateway without _kerberos_ trust (gateway and agent in one forest or in forests that have FULL forest trust).
In short: you need certs on BOTH sides of communication channel if you can't use kerberos for this communications.
Thanks for this great How To. The only question I have is around what server, other than the Gateway, need the cert installed and imported using the MOMCertImport? For example, I have one gateway server, one management server and one RMS. Do I need to install the cert and then use MOMCertImport on the Management server and the RMS?
If you use my guide, you don't need to create exportable private key. Many (even official) guides assume that certificate request is generated on domain computer or on the CA server. In that case to export you must mark private key as exportable. However my guide requires to generate certificate request on the *target* machine. Therefore you don't need to move private key anywhere and 'Exportable = True' is not necessary.
Your template for generating the certificate request is missing the Exportable = True setting. I spent hours trying to figure out what was going wrong. It came down to the request not stating that the public key would be exportable later on. Here is what you should have for a template file:
© 2008 - 2021 - Sysadmins LV. All rights reserved