CERTIFICATES RETRIEVAL AND INSTALLATION · 1 Introduction This document covers step by step how to generate SCOM agents and GW certificates for untrusted domain GW and agents installations.

CERTIFICATES RETRIEVAL AND

INSTALLATION

FOR SCOM 2012 R2 (Agents - GW)

Waleed Mostafa [email protected]

http://waleedmostafa.wordpress.com

http://waleedmostafa.wordpress.com/

Waleed Mostafa Blog: http://waleedmostafa.wordpress.com

table of contents

1 Introduction ................................................................................................................................ 2

2 Retrieve the Root CA certificate ................................................................................................ 3

3 Retrieve the dedicated certificate. ............................................................................................ 4

4 Install the Root CA certificate .................................................................................................. 11

5 Install the dedicated certificate ............................................................................................... 13

6 Import the certificate into SCOM GW or Agents .................................................................... 16



1 Introduction

This document covers step by step how to generate SCOM agents and GW certificates for

untrusted domain GW and agents installations.

In order to allow agents communication we need to configure certificates. There will be 2

certificates installed on a target server, the root certificate authority, it will be the same for all the

agents and a dedicated certificate for each agent that the certificate authority will provide. Once

both certificates will be configured on the target server we will have to run a tool in order to

make SCOM use the certificate.



2 Retrieve the Root CA certificate

Log on CA-Server name with an

administrator account and

connect to the URL http://CA-

Server name/certsrv. Click on

Download a CA certificate,

certificate chain, or CRL.

Click on Download CA

certificate

Click on Save As.

Choose the Cert. Location and

the name of the cert. then click

Save



3 Retrieve the dedicated certificate.

Log on your CA-Server with

an administrator account and

connect to the URL

http://CA-Server-

Name/certsrv. Click on

Request a certificate.

Click on advanced

certificate request.

Click on Create and submit

a request to this CA.


http://ca-server-name/certsrv

http://ca-server-name/certsrv


In the Name field, enter the

FQDN of the server you

want to retrieve a certificate

for, in our case

SCOMAgentServerName.D

omain.xxxx.

If the target server is in a

workgroup then enter its

hostname

In the Type of Certificate

Needed scroll-down list

select Other… and in the

OID field enter

1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.

7.3.2

Check Mark keys as

exportable and click on

Submit.

This pop-up will appear, click

on Yes.



Our request has been sent

to the certificate authority

with ID 84, we now need to

issue the certificate.

On CA-Server, open the

MMC, Add Certificate

Authority, your CA Server,

Pending Requests. Right-

click on our certificate

request (number 84 here)

and select All Tasks, Issue.

Return to the web explorer

home page and click on

View the status of a

pending certificate

request.

Click on the only link on the

page.



Click on Install this

certificate.

This pop-up will appear, click

on Yes.

The certificate is now

installed on CA-Server. We

need to export it.

Open a MMC and add the

Certificates snap-in for the

Current User (Launch

MMC.exe, right click on File

and select Add/Remove

Snap-in. Select the

Certificates snap-in, click on

Add, select My user

account, click on Finish

then on OK). Go to the

Personal folder, right-click

on the certificate with the

target server FQDN as its

name, select All Tasks and

Export…



Leave the welcome screen

then click Next.

Select Yes, export the

private key then click Next.

Uncheck Include all

certificates in the certification

path if possible then click

next.



Enter a password of your

choice, it will be reused to

import this certificate on the

target server.

We will export the certificate

to

Certlocation\servername.p

fx

Validate then Next.



Click on Finish to export the

certificate.

This pop-up appear when

the export is successful.

Copy the exported

certificated from you CA-

Server to the target server.

Copy the exported certificated from you CA-Server to the target server.



4 Install the Root CA certificate

Retrieve the Root-CA.cer

certificate from the CA

Server to the target

server.

Click on Install Certificate.

Choose Local Machine then

click next



Specify the Trusted Root

Certification Authorities

store.

Validate the import and click

finished.

This pop-up appears when

the import is successful.



5 Install the dedicated certificate

Copy on the target server

the .pfx file then double-

click on it.

Leave the welcome

screen.



Validate.

Enter the password you

used to export the

certificate to the .pfx file

and select Mark key as

exportable.

Click on Browse…



Validate the import.

This pop-up appears

when the import is

successful.

Once the certificate is

imported, open an MMC

and add the Certificates

snap-ins for the Local

Computer (Launch

MMC.exe, right-click on

File, select Add/Remove

Snap-in. Select the

Certificates snap-in, click

on Add, select Computer

account, click on Next

then on Finish and on

OK. insure that the Cert is

okay.



6 Import the certificate into SCOM GW or Agents

On the target server go

to the Operations

Manager store for the

Local Computer and

delete the default

certificate.

Click on Yes to validate

the deletion.

In the Personal store for

the Local Computer,

right click on the

certificate and select

Export…

Leave the welcome

screen.



Select Yes, export the

private key.

Leave the default

parameters.

Enter a password of your

choice, it will be reused

to import this certificate

into SCOM.



Enter C:\GW1.pfx.

Validate the parameters

to launch the export.

Close the pop-up.



Copy the

MOMCertImport.exe

tool from the

SupportTools\AMD64

folder from the SCOM

2012 R2 sources to the

SCOM installation

directory (C:\Program

Files\System Center

Operations

Manager\Gateway

Open a command

prompt with elevated

privileges, go to the

SCOM installation

directory and launch the

following command:

MOMCertImport.exe

C:\gw1.pfx. Enter the

password and validate.

Restart the Microsoft

Monitoring Agent

service.

Check in the Operations

Manager event log that

an event with ID 20053

has been logged.


CERTIFICATES RETRIEVAL AND INSTALLATION · 1 Introduction This document covers step by step how to generate SCOM agents and GW certificates for untrusted domain GW and agents installations.

Documents