When you install Microsoft System Center Operation Manager (SCOM) Agent on untrusted computers, you do not only need to add the CA to SCOM Server, Gateway Servers (communication between management servers and untrusted computers), untrusted computers, but also create a Certificate Template for them so that you can install Client Certificate to the managed server and the untrusted computer. This video shows how do so.
Step 1: Create a Certificate Template
1.Log on to the server which acts as an Issuing Enterprise Certification Authority, in our case it is SCOM server.
2.Type mmc in Search bar and click mmc icon to open it .
3. In the Console1 page, click File, and then Add/Remove Snap-in.
4. Highlight Certificates Templates, and then click Add.
5. In the Certificate Templates, locate the template named Computer.
6. Right-click on Computer and select Duplicate Template
7. In Properties of New Template page, click in General and type template name.
8. Click on Subject Name tab and check Supply in the request.
9. In Security tab, assign Read and Enroll permissions to Certification Authority managers or Certification Authority administrators.
10. Click Ok to save changes to the template and close Certificate Templates window.
Step 2: Enable new template to Issuing Enterprise CA
1. Log on to the server which acts as Issuing Enterprise CA.
2. Go to Server Manager>Tools and select Certification Authority
3. Expand your Certification Authority name and right click on Certificate Templates>New>Certificate Template to Issue.
4. In the Enable Certificate Templates page, locate custom template you just created (CA02 in out example) and click Ok.
Step 3: Request Certificate Template
1.Log on to the server which acts as Issuing Enterprise CA.
2.Type notepad in Search bar and open it.
3. Paste the following info with the managed server name and template name into the notepad:
[NewRequest]
Subject=”CN=scomsvr.mydomain.com”
KeyLength=2048
KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE
[RequestAttributes]
CertificateTemplate=“CA02″
4. Save the file with an .inf file name extension, for example CA02.inf.
5. Run Command Prompt as administrator by typing cmd in the Search bar.
6. In the Command Prompt window run the following command:
CertReq -New -f path\savedconfig.inf path\OpsMgr_%computername%.req
7. Close Command Prompt window.
8. You should see created OpsMgr_%computername%.req file in the folder you saved.
Step 4: Submit the request file to Enterprise Certification Authority
1.Log on to the server which acts as Issuing Enterprise CA.
2.Go to Server Manager>Tools and select Certification Authority
3. In the Certification Authority page, right on Certification Authority name, click All Tasks and then Submit new request.
4. In the Open request file, locate CA02.req file created previously and click Open.
5. Save Certificate page will appear. Save certificate to a file, for example CA02.cer.
Step 5: Install issued certificate to managed computer
1.Log on to the server which acts as Issuing Enterprise CA.
2.Run Command Prompt as administrator by typing cmd in the Search bar.
3. In the Command Prompt window run the following command:
Certreq -accept path\%computername%_cert.cer
In our example
Certreq -accept c:\temp\CA02.cer
4. Copy MOMCertImport.exe from SCMO SupportTool\i386 folder to the CA02.cer location, Temp folder in our example..
5. Then run this command:
MOMCertImport /SubjectName %computername%
6. To confirm that it imported successfully, open Regedit. Go to HKLM>Software>Microsoft>Microsoft Operations Manager>3.0>Machine Settings. The ChannelCertificateSerialNumber will be reversed pairs of the Personal>Certificate in the MMC console
Please view this step by step video: