In this posting I have put everything together for Windows Server 2012 R2, so it’s a ‘One-Stop-Shop’ without the need to go somewhere else. There is much to tell, so let’s start.
Step 1: Creating the template on the Enterprise CA server.
- Go to Start > type CMD <enter> type MMC <enter> File > Add/Remove Snap-in > select Certificate Templates and Certification Authority (local computer) > OK.
- Select Certificate Templates, in the Console click with right mouse button on IPSec (Offline request) and select Duplicate Template. On the first tab, Compatibility copy underneath settings.
- Tab General. Give this template a name which makes sense. Adjust the validity period so it adheres to the security policy of your company.
- Tab Request Handling. Set Purpose to Signature and encryption. Select the option Allow the private key to be exported.
- Tab Cryptography. Set Minimum key size to 1024 and select as Providers Microsoft Enhanced Cryptographic Provider 1.0 and Microsoft RSA SChannel Cryptographic Provider.
- Tab Extensions. Select Application Profiles > Edit.
Remove the Application policy which is present by default and replace it with these two other Application policies: Client Authentication and Server Authentication.
- Tab Security. Here you have to check the settings for the Authenticated Users. They must have Read access:
- Now you need to add the computer account of the CA where also the web interface for the CA is run from, in this example the DC01 server. This computer account requires Read and Enroll permissions. Otherwise this new template won’t show up in the web interface of the CA.
Add > Object Types > select Computers > OK > enter the name of the CA > Check Names > OK > select this computer account and set the proper permissions (Read and Enroll):
> Apply > OK.
Step 2: Adding the template to the CA
Now the template created in Step 1 needs to be added to the CA. This is done from the same MMC.
- In the MMC, go to Certification Authority > collapse this node > click with right mouse button on Certificate Templates > New > Certificate Template To Issue.
- Select the certificate template you created in Step 1 > OK.
- Double click on the folder Certificate Templates. All the available templates will be shown, among them the SCOM Certificate template:
- Close the MMC.
So now we have a new SCOM certificate template which will be available for in the web interface of the CA as well. However, one step remains because otherwise the web interface might not work because of security restrictions set in IE.
Step 3: Modifying the security settings in IE on the CA server with the CA web interface
- Start IE with elevated permissions and surf to http://localhost/certsrv;
- Go to Internet Options > Security > Local Intranet > Sites > Advanced > Add this website to the zone http://localhost/certsrv > Add > Close > OK;
- Set the Security level for this zone to Low
Additional advice & tricks
When requesting a SCOM certificate life has become much easier now with this certificate template. None the less, there are still some small things to reckon with, during and after the certificate is requested. Some of these items might seem like kicking in open doors, but you’ll never know.
- After having selected the proper certificate template
there are only TWO fields which require attention:
The Name field under the header Identifying Information For Offline Template:
And the Friendly Name field under the header Additional Options:
As a Best Practice, use for BOTH fields the Full Computer Name of the server where this certificate is meant for. When you don’t the certificate won’t match with that system, resulting in an wrong certificate that won’t work.
How to find the Full Computer Name? On that system go to the system > right click > Properties > Advanced System Settings > tab Computer Name and here you’ll find it:
Never presume but ALWAYS check, especially for the DMZ systems. This prevents cert mishaps which can cost you a lot of time to solve.
- At the end of the request you can install the certificate on the same server where you ran the request from. This is okay but don’t forget to export it. In order to do that start a MMC instance, at the Certificates snap-in and select your user account. Export the certificate WITH the private key and you’ll be just fine. Follow the wizard all the way through.
- Never forget to import the root certificate of the CA which issues the certificate for that system. Otherwise the certificate won’t be trusted. How to obtain that root certificate? Easy:
Open the web interface of the CA > select Download a CA certificate, certificate chain, or CRL > select Download CA certificate chain > Save.
- On a non-trusted system this is the order of things:
- Request certificate based on Full Computer Name;
- Install it;
- Export it with Private Key;
- Import the Root certificate on that system;
- Import the certificate for that system;
- Check the presence and status of that certificate in the personal certificate store for that computer account;
- When okay, install the Agent manually;
- Create two Rules on the Windows Firewall, both TCP 5723 one for incoming and the other for outgoing;
- Run the tool MOMCertImport.exe in order to connect the SCOM Agent with the certificate;
- Approve the installed Agent on the Management Server (don’t forget to install certificates on that server as well).