Friday, February 4, 2011

Generate certificate request for SCOM

SCOM uses certificates for mutual authentication between agent and server for standalone machines or machines in a different Active Directory.


1.  Get your Root CA certificate as a file and import to the Trusted Root Authorities store, if not already done.


2. Create a file named scom.inf:

Hint: If your agent machine not in AD please configure the computer full name with domain name, e.g. server1.crypto-live.org


[NewRequest]
Subject="CN="
Exportable=TRUE
KeyLength=1024
KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2


Both OIDs needed for server and client authentication.3.  Create a new certificate request file hostname.csr:




CertReq.exe -New -f scom.inf .csr


4. If not already done, make a copy of the Web Server certificate template and call it "SCOM Machine". Ensure key must be exportable and extended usage must include client authentication and server authentication. Assign access rights for your user accounts and assign the "SCOM Machine" certificate template to the Certification Authority.






4.  Submit the request to your CA.



5.  Download the certificate to a file .cer


6.  Import the certificate into certificate store :

CertReq.exe -accept NewCertificate.cer


7. Run momcertimport.exe to tell the SCOM agent the new certificate.



No comments: