Thursday, April 15, 2010

Enterprise CA: How to create a SCOM Certificate template.

Bumped into this situation some time ago. A customer had a Enterprise CA in place, but no template for SCOM certificates was available:
image

So it was time for some additional work: creating a SCOM certificate template and adding that very same template to the CA. This posting will be about how to go about it.

Step 1: Creating the template on the CA server.

  1. Go to Start > type MMC <enter> > File > Add/Remove Snap-in > select Certificate Templates and Certification Authority (local computer) > OK.

  2. Select Certificate Templates, in the Console click with right mouse button on IPSec (Offline request) and select Duplicate Template.
    image
    Select Windows Server 2003 Enterprise (this way you know the template is backwards compatible) > OK.

  3. Type a name which describes the template, like SCOM Certificate.
    image

  4. Go to the tab Request Handling.  
    Set the key size to 1024. This is sufficient and takes less cpu time to process.
    Also checkmark the option Allow private key to be exported.
    image

    Click on the button CSPs…
    Select Microsoft Enhanced Cryptographic Provider 1.0, do not remove the option Microsoft RSA SChannel Cryptographic Provider. (Also for compatibility reasons.)
    image
    Click OK.
  5. Go to the tab Extensions.
    Select the option Applications Policies and click Edit.
    Remove IP security IKE intermediate, click Add > select Client Authentication > OK > Add > select Server Authentication.
    image
    Click OK.

  6. Go to the tab Security.
    Authenticated Users need to have Read access.
    image
    Click Apply > OK.

    Beware!
    When running a CA based on Windows Server 2008 R2, additional security settings are needed. Go here and follow the items listed under Step 2: Changing the Security settings of the SCOM Certificate template.

  7. The template is now created:
    image

Step 2: Adding the template to the CA.

Now the template created in Step 1 needs to be added to the CA. This is done from the same MMC.

  1. In the MMC, go to Certification Authority > collapse this node  > click with right mouse button on Certificate Templates > New > Certificate Template To Issue.
    image 
    Select the new template (SCOM Certificate) and click OK.
    image

  2. Double click on the folder Certificate Templates. All the available templates will be shown, among them the SCOM Certificate template:
    image

  3. Close the MMC. Save it when needed.

Now the new certificate template will be shown and can be used for creating a SCOM certificate.

3 comments:

Ian C. said...

Thank you for the red update at #6 about Windows 2008 R2.

Marnix Wolf said...

Hi there.

You are welcome. Glad to be of any assistance.

Cheers,
Marnix

Bryan Heath said...

Here is a video I created largly your post and Pete Zergers blog. I thought you might like me to share it with you. I have it blog rolling back to your site :)

http://youtu.be/O1yNic3RXm8