Wednesday, February 12, 2014

Windows Server 2012 R2: How To Create A SCOM Certificate Template

Even though I’ve blogged about it already for Windows Server 2008 R2, the posting requires some updates for Windows Server 2012 R2. Also the same posting contains referrals to other postings of mine in order to address certain issues.

In this posting I have put everything together for Windows Server 2012 R2, so it’s a ‘One-Stop-Shop’ without the need to go somewhere else. There is much to tell, so let’s start.

Step 1: Creating the template on the Enterprise CA server.

  1. Go to Start > type CMD <enter> type MMC <enter>  File > Add/Remove Snap-in > select Certificate Templates and Certification Authority (local computer) > OK.
  2. Select Certificate Templates, in the Console click with right mouse button on IPSec (Offline request) and select Duplicate Template. On the first tab, Compatibility copy underneath settings.
  3. Tab General. Give this template a name which makes sense. Adjust the validity period so it adheres to the security policy of your company.
  4. Tab Request Handling. Set Purpose to Signature and encryption. Select the option Allow the private key to be exported.
  5. Tab Cryptography. Set Minimum key size to 1024 and select as Providers Microsoft Enhanced Cryptographic Provider 1.0 and Microsoft RSA SChannel Cryptographic Provider.
  6. Tab Extensions. Select Application Profiles > Edit.

    Remove the Application policy which is present by default and replace it with these two other Application policies: Client Authentication and Server Authentication.
  7. Tab Security. Here you have to check the settings for the Authenticated Users. They must have Read access:
  8. Now you need to add the computer account of the CA where also the web interface for the CA is run from, in this example the DC01 server. This computer account requires Read and Enroll permissions. Otherwise this new template won’t show up in the web interface of the CA.

    Add > Object Types > select Computers > OK > enter the name of the CA > Check Names > OK > select this computer account and set the proper permissions (Read and Enroll):
    > Apply > OK.

Step 2: Adding the template to the CA
Now the template created in Step 1 needs to be added to the CA. This is done from the same MMC.

  1. In the MMC, go to Certification Authority > collapse this node  > click with right mouse button on Certificate Templates > New > Certificate Template To Issue.
  2. Select the certificate template you created in Step 1 > OK.
  3. Double click on the folder Certificate Templates. All the available templates will be shown, among them the SCOM Certificate template:
  4. Close the MMC.

So now we have a new SCOM certificate template which will be available for in the web interface of the CA as well. However, one step remains because otherwise the web interface might not work because of security restrictions set in IE.

Step 3: Modifying the security settings in IE on the CA server with the CA web interface

  1. Start IE with elevated permissions and surf to http://localhost/certsrv;
  2. Go to Internet Options > Security > Local Intranet > Sites > Advanced > Add this website to the zone http://localhost/certsrv > Add > Close > OK;
  3. Set the Security level for this zone to Low

Now you can submit your certificate requests without any issues after you answer these two questions – every time when they pop up – with YES:


Additional advice & tricks
When requesting a SCOM certificate life has become much easier now with this certificate template. None the less, there are still some small things to reckon with, during and after the certificate is requested. Some of these items might seem like kicking in open doors, but you’ll never know.

  1. After having selected the proper certificate template
    there are only TWO fields which require attention:
    The Name field under the header Identifying Information For Offline Template:
    And the Friendly Name field under the header Additional Options:

    As a Best Practice, use for BOTH fields the Full Computer Name of the server where this certificate is meant for. When you don’t the certificate won’t match with that system, resulting in an wrong certificate that won’t work.

    How to find the Full Computer Name? On that system go to the system > right click > Properties > Advanced System Settings > tab Computer Name and here you’ll find it:
    Never presume but ALWAYS check, especially for the DMZ systems. This prevents cert mishaps which can cost you a lot of time to solve.

  2. At the end of the request you can install the certificate on the same server where you ran the request from. This is okay but don’t forget to export it. In order to do that start a MMC instance, at the Certificates snap-in and select your user account. Export the certificate WITH the private key and you’ll be just fine. Follow the wizard all the way through.

  3. Never forget to import the root certificate of the CA which issues the certificate for that system. Otherwise the certificate won’t be trusted. How to obtain that root certificate? Easy:
    Open the web interface of the CA > select Download a CA certificate, certificate chain, or CRL > select Download CA certificate chain > Save.

  4. On a non-trusted system this is the order of things:
    1. Request certificate based on Full Computer Name;
    2. Install it;
    3. Export it with Private Key;
    4. Import the Root certificate on that system;
    5. Import the certificate for that system;
    6. Check the presence and status of that certificate in the personal certificate store for that computer account;
    7. When okay, install the Agent manually;
    8. Create two Rules on the Windows Firewall, both TCP 5723 one for incoming and the other for outgoing;
    9. Run the tool MOMCertImport.exe in order to connect the SCOM Agent with the certificate;
    10. Approve the installed Agent on the Management Server (don’t forget to install certificates on that server as well).


Mayank Dhama said...

I have got an error 404 not found when viewing https://localhost/certsrv.

I did same as given in this blog. Please suggest what to do?

Mayank Dhama said...

I have faced an error when visiting http://localhost/certsrv that "Error 404 Not Found".

I have followed same as mentioned in blog.

Please help me in resolving the issue.

Marnix Wolf said...

Hi Er. Mayank Dhama.

Sounds like the web interface of the CA is hosted on another server. Please contact your colleagues in order to find out what server that is.


Unknown said...

Do you know how I could have a CSR file (generated using CertReq) signed by the CA in a automatic (non interactive, no web browser,..) way? Does the web interface of the CA have some Web Service interface or API, maybe a command line? Any help is welcome.

THanks in advance,

Donald D'souza said...

Hi Marnix

I followed the steps but while requesting the certificate it is not showing the template created.