Thursday, March 28, 2013

SCOM Certificate Enrollment Issue

2013-03-29 Update
Pete Zerger has a good comment on this posting: It’s not required to lower the security for the entire zone in IE. Already in 2009(!) Pete blogged about this issue and how to solve it. His posting is to be found
here. Thanks Pete for sharing. Comments like this make this blog even better. Awesome!

When the SCOM Certificate template is created as described in this posting of mine and you want to submit a certificate request on the CA website (http://localhost/certsrv) you might get two messages which frustrate the request:

  1. In order to complete certificate enrollment, the Web site for the CA must be configured to use HTTPS authentication:
    image
  2. Internet Explorer blocked an ActiveX control, so this page might not display correctly:
    image

How to solve this without using HTTPS authentication? Simply because sometimes companies don’t want the SSL hassle for their PKI which is only used on a small scale inside their IT environment and not for production with CRLs and the lot. Because in that case it’s highly recommended you use SSL in order to keep your PKI secure and locked down.

Workaround
In order to submit a certificate request which runs successfully without enabling SSL, you simply follow these four steps:

  1. Start IE with elevated permissions and surf to http://localhost/certsrv;
  2. Go to Internet Options > Security > Local Intranet > Sites > Advanced > Add this website to the zone http://localhost/certsrv > Add > Close > OK;
    image
  3. Set the Security level for this zone to Low:
    image
  4. > Apply > OK. Restart IE, again with ELEVATED permissions.

Now you can submit your certificate requests successfully after you answer these two dialogs positively:
image
> Yes.

And:
image
> Yes.

3 comments:

Pete Zerger said...

Actually Marnix, you do not need to lower security for the entire zone in IE. I blogged a solution back in 2009. See http://www.systemcentercentral.com/enable-certificate-web-enrollment-without-sslhttps-in-windows-2008/

Marnix Wolf said...

Hi Pete.

Thanks for your comment, awesome! Will update my posting accordingly.

Cheers,
Marnix

Pete Zerger said...

Cheers buddy. Keep up the good work...making the Dutch proud!