certificates retrieval and installation · certificates retrieval and installation for scom 2012 r2...
TRANSCRIPT
CERTIFICATES RETRIEVAL AND
INSTALLATION
FOR SCOM 2012 R2 (Agents - GW)
Waleed Mostafa [email protected]
http://waleedmostafa.wordpress.com
Waleed Mostafa Blog: http://waleedmostafa.wordpress.com
table of contents
1 Introduction ................................................................................................................................ 2
2 Retrieve the Root CA certificate ................................................................................................ 3
3 Retrieve the dedicated certificate. ............................................................................................ 4
4 Install the Root CA certificate .................................................................................................. 11
5 Install the dedicated certificate ............................................................................................... 13
6 Import the certificate into SCOM GW or Agents .................................................................... 16
Waleed Mostafa Blog: http://waleedmostafa.wordpress.com
1 Introduction
This document covers step by step how to generate SCOM agents and GW certificates for
untrusted domain GW and agents installations.
In order to allow agents communication we need to configure certificates. There will be 2
certificates installed on a target server, the root certificate authority, it will be the same for all the
agents and a dedicated certificate for each agent that the certificate authority will provide. Once
both certificates will be configured on the target server we will have to run a tool in order to
make SCOM use the certificate.
Waleed Mostafa Blog: http://waleedmostafa.wordpress.com
2 Retrieve the Root CA certificate
Log on CA-Server name with an
administrator account and
connect to the URL http://CA-
Server name/certsrv. Click on
Download a CA certificate,
certificate chain, or CRL.
Click on Download CA
certificate
Click on Save As.
Choose the Cert. Location and
the name of the cert. then click
Save
Waleed Mostafa Blog: http://waleedmostafa.wordpress.com
3 Retrieve the dedicated certificate.
Log on your CA-Server with
an administrator account and
connect to the URL
http://CA-Server-
Name/certsrv. Click on
Request a certificate.
Click on advanced
certificate request.
Click on Create and submit
a request to this CA.
Waleed Mostafa Blog: http://waleedmostafa.wordpress.com
In the Name field, enter the
FQDN of the server you
want to retrieve a certificate
for, in our case
SCOMAgentServerName.D
omain.xxxx.
If the target server is in a
workgroup then enter its
hostname
In the Type of Certificate
Needed scroll-down list
select Other… and in the
OID field enter
1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.
7.3.2
Check Mark keys as
exportable and click on
Submit.
This pop-up will appear, click
on Yes.
Waleed Mostafa Blog: http://waleedmostafa.wordpress.com
Our request has been sent
to the certificate authority
with ID 84, we now need to
issue the certificate.
On CA-Server, open the
MMC, Add Certificate
Authority, your CA Server,
Pending Requests. Right-
click on our certificate
request (number 84 here)
and select All Tasks, Issue.
Return to the web explorer
home page and click on
View the status of a
pending certificate
request.
Click on the only link on the
page.
Waleed Mostafa Blog: http://waleedmostafa.wordpress.com
Click on Install this
certificate.
This pop-up will appear, click
on Yes.
The certificate is now
installed on CA-Server. We
need to export it.
Open a MMC and add the
Certificates snap-in for the
Current User (Launch
MMC.exe, right click on File
and select Add/Remove
Snap-in. Select the
Certificates snap-in, click on
Add, select My user
account, click on Finish
then on OK). Go to the
Personal folder, right-click
on the certificate with the
target server FQDN as its
name, select All Tasks and
Export…
Waleed Mostafa Blog: http://waleedmostafa.wordpress.com
Leave the welcome screen
then click Next.
Select Yes, export the
private key then click Next.
Uncheck Include all
certificates in the certification
path if possible then click
next.
Waleed Mostafa Blog: http://waleedmostafa.wordpress.com
Enter a password of your
choice, it will be reused to
import this certificate on the
target server.
We will export the certificate
to
Certlocation\servername.p
fx
Validate then Next.
Waleed Mostafa Blog: http://waleedmostafa.wordpress.com
Click on Finish to export the
certificate.
This pop-up appear when
the export is successful.
Copy the exported
certificated from you CA-
Server to the target server.
Copy the exported certificated from you CA-Server to the target server.
Waleed Mostafa Blog: http://waleedmostafa.wordpress.com
4 Install the Root CA certificate
Retrieve the Root-CA.cer
certificate from the CA
Server to the target
server.
Click on Install Certificate.
Choose Local Machine then
click next
Waleed Mostafa Blog: http://waleedmostafa.wordpress.com
Specify the Trusted Root
Certification Authorities
store.
Validate the import and click
finished.
This pop-up appears when
the import is successful.
Waleed Mostafa Blog: http://waleedmostafa.wordpress.com
5 Install the dedicated certificate
Copy on the target server
the .pfx file then double-
click on it.
Leave the welcome
screen.
Waleed Mostafa Blog: http://waleedmostafa.wordpress.com
Validate.
Enter the password you
used to export the
certificate to the .pfx file
and select Mark key as
exportable.
Click on Browse…
Waleed Mostafa Blog: http://waleedmostafa.wordpress.com
Validate the import.
This pop-up appears
when the import is
successful.
Once the certificate is
imported, open an MMC
and add the Certificates
snap-ins for the Local
Computer (Launch
MMC.exe, right-click on
File, select Add/Remove
Snap-in. Select the
Certificates snap-in, click
on Add, select Computer
account, click on Next
then on Finish and on
OK. insure that the Cert is
okay.
Waleed Mostafa Blog: http://waleedmostafa.wordpress.com
6 Import the certificate into SCOM GW or Agents
On the target server go
to the Operations
Manager store for the
Local Computer and
delete the default
certificate.
Click on Yes to validate
the deletion.
In the Personal store for
the Local Computer,
right click on the
certificate and select
Export…
Leave the welcome
screen.
Waleed Mostafa Blog: http://waleedmostafa.wordpress.com
Select Yes, export the
private key.
Leave the default
parameters.
Enter a password of your
choice, it will be reused
to import this certificate
into SCOM.
Waleed Mostafa Blog: http://waleedmostafa.wordpress.com
Enter C:\GW1.pfx.
Validate the parameters
to launch the export.
Close the pop-up.
Waleed Mostafa Blog: http://waleedmostafa.wordpress.com
Copy the
MOMCertImport.exe
tool from the
SupportTools\AMD64
folder from the SCOM
2012 R2 sources to the
SCOM installation
directory (C:\Program
Files\System Center
Operations
Manager\Gateway
Open a command
prompt with elevated
privileges, go to the
SCOM installation
directory and launch the
following command:
MOMCertImport.exe
C:\gw1.pfx. Enter the
password and validate.
Restart the Microsoft
Monitoring Agent
service.
Check in the Operations
Manager event log that
an event with ID 20053
has been logged.