I would like to demonstrate a quite pretty script that simplifies certificate request generation for OpsMgr managed clients. Recently we had have to use various complex (for administrators that are not familiar with digital certificates) methods, such:
Both methods require some additional steps to generate request. For example, if you use CertReq.exe utility you need to write enough complex certificate enrollment configuration file. If you use Certificates snap-in you will need to manually specify all necesary data (such subject, private key settings, certificate extensions, etc). This PowerShell script will do all stuff, so you will have to copy and paste script to PowerShell console and run it.
this script will work on Windows Vista, Windows 7, Windows Server 2008 (including R2) and higher. Previous versions of Windows (such Windows XP and Windows Server 2003) are not supportd.
function New-OpsMgrRequest { <# .Synopsis Generates certificate request for System Center Operations Manager managed client .Description Generates certificate request for System Center Operations Manager managed client and request file that can be submited to either Standalone or Enterprise CA. To use request with Enterprise CA you must specify CertificateTemplate argument. .Parameter Path Specifies a path to save certificate request file (including file name). By default, request is saved in C:\ drive root. .Parameter CertificateTemplate Specifies certificate template Common Name. This is mandatory paramter in conjuction with Enterprise Certification Authority. .EXAMPLE New-OpsMgrRequest If no arguments are asserted, certificate request will be saved in C:\ with local computer name. This request can be submitted to Standalone Certification Authority only. .Example New-OpsMgrRequest -Path C:\Requests\OpsMgr.req -CertificateTemplate OpsMgrAgentV2 This command will create certificate request to use with Enterprise Certification Authority and save certificate request in C:\Requests\OpsMgr.req. #> [CmdletBinding()] param ( [string]$Path = "C:\$env:computername.req", [string]$CertificateTemplate ) $OS = (Get-WmiObject Win32_OperatingSystem).Version if ($OS[0] -lt 6) { Write-Warning "Windows XP, Windows Server 2003 and Windows Server 2003 R2 are not supported!" return } trap {continue} # get managed computer FQDN. If this workgroup computer, NetBIOS name is used $domain = ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).Name if ($domain -eq $null) { $fqdn = $Env:COMPUTERNAME } else { $fqdn = $env:COMPUTERNAME + "." + $domain } # create certificate Subject field in X500 Distinguished Name format. $SubjectDN = New-Object -ComObject X509Enrollment.CX500DistinguishedName $SubjectDN.Encode("CN=$fqdn", 0x0) # create and add Client and Server Authentication OIDs $OIDs = New-Object -ComObject X509Enrollment.CObjectIDs foreach ($OIDstring in "1.3.6.1.5.5.7.3.1","1.3.6.1.5.5.7.3.2") { $OID = New-Object -ComObject X509Enrollment.CObjectID $OID.InitializeFromValue($OIDstring) $OIDs.Add($OID) } # add created OIDs to EnchancedKeyUsages certificate extension. $EKU = New-Object -ComObject X509Enrollment.CX509ExtensionEnhancedKeyUsage $EKU.InitializeEncode($OIDs) # generate private key $PrivateKey = New-Object -ComObject X509Enrollment.CX509PrivateKey $PrivateKey.ProviderName = "Microsoft RSA SChannel Cryptographic Provider" # the private key will be used by computer account $PrivateKey.KeySpec = 0x1 # the private key is supposed for Key Encipherment $PrivateKey.KeyUsage = 0xf0 $PrivateKey.Length = 2048 $PrivateKey.MachineContext = 0x1 $PrivateKey.Create() # create certificate request template $PKCS10 = New-Object -ComObject X509Enrollment.CX509CertificateRequestPkcs10 $PKCS10.InitializeFromPrivateKey(0x2,$PrivateKey,"") # add necessary fields to certificate request template $PKCS10.Subject = $SubjectDN $PKCS10.X509Extensions.Add($EKU) if ($CertificateTemplate -ne "") { $Template = New-Object -ComObject X509Enrollment.CX509ExtensionTemplateName $Template.InitializeEncode($CertificateTemplate) $PKCS10.X509Extensions.Add($Template) } # generate request file $Request = New-Object -ComObject X509Enrollment.CX509Enrollment $Request.InitializeFromRequest($PKCS10) # certificate request will be saved in Base64 format with request header # and footer $Base64 = $Request.CreateRequest(0x3) Set-Content $path -Value $Base64 }
In the next post I'll show how to install certificate and configure OpsMgr Agent to use it.
Post your comment:
Comments: