SCOM 2012 R2 (Agents – GW) Certificates retrieval and installation

In order to allow agents communication we need to configure certificates. There will be 2 certificates installed on a target server, the root certificate authority, it will be the same for all the agents and a dedicated certificate for each agent that the certificate authority will provide. Once both certificates will be configured on the target server we will have to run a tool in order to make SCOM use the certificate.

1. Retrieve the Root CA certificate

Log on CA-Server name with an administrator account and connect to the URL http://CA-Server name/certsrv. Click on Download a CA certificate, certificate chain, or CRL.

Click on Download CA certificate

Click on Save As.

Choose the Cert. Location and the name of the cert. then click Save

2. Retrieve the dedicated certificate.

Log on your CA-Server with an administrator account and connect to the URL http://CA-Server-Name/certsrv. Click on Request a certificate.


Click on advanced certificate request.


Click on Create and submit a request to this CA.


In the Name field, enter the FQDN of the server you want to retrieve a certificate for, in our case SCOMAgentServerName.Domain.xxxx.
If the target server is in a workgroup then enter its hostname

In the Type of Certificate Needed scroll-down list select Other… and in the OID field enter

1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2


Check Mark keys as exportable and click on Submit.

This pop-up will appear, click on Yes.

Our request has been sent to the certificate authority with ID 84, we now need to issue the certificate.

On CA-Server, open the MMC, Add Certificate Authority, your CA Server, Pending Requests. Right-click on our certificate request (number 84 here) and select All Tasks, Issue.

Return to the web explorer home page and click on View the status of a pending certificate request.

Click on the only link on the page.

Click on Install this certificate.

This pop-up will appear, click on Yes.

The certificate is now installed on CA-Server. We need to export it.

Open a MMC and add the Certificates snap-in for the Current User (Launch MMC.exe, right click on File and select Add/Remove Snap-in. Select the Certificates snap-in, click on Add, select My user account, click on Finish then on OK). Go to the Personal folder, right-click on the certificate with the target server FQDN as its name, select All Tasks and Export…

Leave the welcome screen then click Next.

Select Yes, export the private key then click Next.

Uncheck Include all certificates in the certification path if possible then click next.

Enter a password of your choice, it will be reused to import this certificate on the target server.

We will export the certificate to Certlocation\servername.pfx

Validate then Next.

Click on Finish to export the certificate.

This pop-up appear when the export is successful.

Copy the exported certificated from you CA-Server to the target server. Copy the exported certificated from you CA-Server to the target server.

3. Install the Root CA certificate

Retrieve the Root-CA.cer certificate from the CA Server to the target server.

Click on Install Certificate.

Choose Local Machine then click next

Specify the Trusted Root Certification Authorities store.

Validate the import and click finished.

This pop-up appears when the import is successful.

4. Install the dedicated certificate

Copy on the target server the .pfx file then double-click on it.

Leave the welcome screen.


Validate.

Enter the password you used to export the certificate to the .pfx file and select Mark key as exportable.

Click on Browse…

Validate the import.

This pop-up appears when the import is successful.

Once the certificate is imported, open an MMC and add the Certificates snap-ins for the Local Computer (Launch MMC.exe, right-click on File, select Add/Remove Snap-in. Select the Certificates snap-in, click on Add, select Computer account, click on Next then on Finish and on OK. insure that the Cert is okay.

5. Import the certificate into SCOM GW or Agents

On the target server go to the Operations Manager store for the Local Computer and delete the default certificate.

Click on Yes to validate the deletion.

In the Personal store for the Local Computer, right click on the certificate and select Export…

Leave the welcome screen.

Select Yes, export the private key.

Leave the default parameters.

Enter a password of your choice, it will be reused to import this certificate into SCOM.

Enter C:\GW1.pfx.

Validate the parameters to launch the export.

Close the pop-up.

Copy the MOMCertImport.exe tool from the SupportTools\AMD64 folder from the SCOM 2012 R2 sources to the SCOM installation directory (C:\Program Files\System Center Operations Manager\Gateway
Open a command prompt with elevated privileges, go to the SCOM installation directory and launch the following command: MOMCertImport.exe C:\gw1.pfx. Enter the password and validate.


Restart the Microsoft Monitoring Agent service.

Check in the Operations Manager event log that an event with ID 20053 has been logged.

Advertisements

One thought on “SCOM 2012 R2 (Agents – GW) Certificates retrieval and installation

Leave a Reply Please

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s