I would like to demonstrate a quite pretty script that simplifies certificate request generation for OpsMgr managed clients. Recently we had have to use various complex (for administrators that are not familiar with digital certificates) methods, such:

Both methods require some additional steps to generate request. For example, if you use CertReq.exe utility you need to write enough complex certificate enrollment configuration file. If you use Certificates snap-in you will need to manually specify all necesary data (such subject, private key settings, certificate extensions, etc). This PowerShell script will do all stuff, so you will have to copy and paste script to PowerShell console and run it.

this script will work on Windows Vista, Windows 7, Windows Server 2008 (including R2) and higher. Previous versions of Windows (such Windows XP and Windows Server 2003) are not supportd.

function New-OpsMgrRequest {
    Generates certificate request for System Center Operations Manager managed client
    Generates certificate request for System Center Operations Manager managed client
    and request file that can be submited to either Standalone or Enterprise CA.
    To use request with Enterprise CA you must specify CertificateTemplate argument.
.Parameter Path
    Specifies a path to save certificate request file (including file name).
    By default, request is saved in C:\ drive root.
.Parameter CertificateTemplate
    Specifies certificate template Common Name. This is mandatory paramter in
    conjuction with Enterprise Certification Authority.
    If no arguments are asserted, certificate request will be saved in C:\ with
    local computer name. This request can be submitted to Standalone Certification
    Authority only.
    New-OpsMgrRequest -Path C:\Requests\OpsMgr.req -CertificateTemplate OpsMgrAgentV2
    This command will create certificate request to use with Enterprise Certification
    Authority and save certificate request in C:\Requests\OpsMgr.req.
    param (
        [string]$Path = "C:\$env:computername.req",
    $OS = (Get-WmiObject Win32_OperatingSystem).Version
    if ($OS[0] -lt 6) {
        Write-Warning "Windows XP, Windows Server 2003 and Windows Server 2003 R2 are not supported!"

    trap {continue}
    # get managed computer FQDN. If this workgroup computer, NetBIOS name is used
    $domain = ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).Name
    if ($domain -eq $null) {
        $fqdn = $Env:COMPUTERNAME
    } else {
        $fqdn = $env:COMPUTERNAME + "." + $domain
    # create certificate Subject field in X500 Distinguished Name format.
    $SubjectDN = New-Object -ComObject X509Enrollment.CX500DistinguishedName
    $SubjectDN.Encode("CN=$fqdn", 0x0)
    # create and add Client and Server Authentication OIDs
    $OIDs = New-Object -ComObject X509Enrollment.CObjectIDs
    foreach ($OIDstring in "","") {
        $OID = New-Object -ComObject X509Enrollment.CObjectID
    # add created OIDs to EnchancedKeyUsages certificate extension.
    $EKU = New-Object -ComObject X509Enrollment.CX509ExtensionEnhancedKeyUsage
    # generate private key
    $PrivateKey = New-Object -ComObject X509Enrollment.CX509PrivateKey
    $PrivateKey.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    # the private key will be used by computer account
    $PrivateKey.KeySpec = 0x1
    # the private key is supposed for Key Encipherment
    $PrivateKey.KeyUsage = 0xf0
    $PrivateKey.Length = 2048
    $PrivateKey.MachineContext = 0x1

    # create certificate request template
    $PKCS10 = New-Object -ComObject X509Enrollment.CX509CertificateRequestPkcs10
    # add necessary fields to certificate request template
    $PKCS10.Subject = $SubjectDN
    if ($CertificateTemplate -ne "") {
        $Template = New-Object -ComObject X509Enrollment.CX509ExtensionTemplateName
    # generate request file
    $Request = New-Object -ComObject X509Enrollment.CX509Enrollment
    # certificate request will be saved in Base64 format with request header
    # and footer
    $Base64 = $Request.CreateRequest(0x3)
    Set-Content $path -Value $Base64

In the next post I'll show how to install certificate and configure OpsMgr Agent to use it.

Share this article:


Post your comment:

Please, solve this little equation and enter result below. Captcha