This article describes process of obtaining and installing a digital certificate for OpsMgr agent that is not a member of your AD forest or a trusted forest. This article assumes that your managed computer is running one  of the following operating systems: Windows 2000/XP/Server 2003/Server 2003 R2/Vista/Server 2008/7/Server 2008 R2.

Target audience is OpsMgr administrators that have limited or no understanding of what certificates are and how PKI works. Described below is not the only way to achieve the same or similar goal but it implements many of PKI Best Practices.

In this article

Prerequisites

Note: all steps described in Prerequistes section must be completed in both scenarios.

↑ Back to the top

Existing Certification Authority (CA)

We suppose you already have some version of Microsoft Windows Server Active Directory Certificate Services (AD CS) Certificate Authority (CA) deployed in your environment and your OpsMgr Management Servers already trust this CA. You could also use commercial certificates issued by a third-party CA but in this case some of the steps described below should be a little bit different.

↑ Back to the top

Export Certificates of CA Hierarchy

First you need to export your CA hierarchy certificates.

↑ Back to the top

Distribute Certificates of CA Hierarchy

Now you need to transfer the above file to each of managed computers and import it as described below. 

1. Log on to the managed computer with local Adminsitrator priveleges.
2. On the Windows desktop, click Start, and then click Run.
3. In the Run dialog box, type mmc, and then click OK. If User Account Control is enabled, enter local Administrator password or just press Yes on consent window.
4. In the Console1 window, click File, and then click Add/Remove Snap-in.
5. In the Add/Remove Snap-in dialog box, click Add.
6. In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.
7. In the Certificates snap-in dialog box, select Computer account, and then click Next.
8. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish.
9. In the Add Standalone Snap-in dialog box, click Close.
10. In the Add/Remove Snap-in dialog box, click OK.
11. In the Console1 window, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.
12. Right-click Certificates, select All Tasks, and then click Import.
13. In the Certificate Import Wizard, click Next.
14. On the File to Import page, click Browse and select the location where you downloaded the CA certificates file, for example, TrustedCA.p7b, select the file, and then click Open.
15. On the File to Import page, select Place all certificates in the following store and ensure that Trusted Root Certification Authorities appears in the Certificate store box, and then click Next.
16. On the Completing the Certificate Import Wizard page, click Finish.
17. Close MMC console window.

↑ Back to the top

Scenario 1

Certification Authority server is configured as Standalone CA and running one of the following operating systems: Windows Server 2003/2003 R2/2008/2008 R2 Standard, Enterprise or Datacenter edition.

↑ Back to the top

Prepare certificate request template

1. Log on to the managed comuter with local Administrator privileges.
2. Click Start, and then click All Programs, Accessories, and then click Notepad.
3. Paste the following into the notepad window:

[NewRequest]



Subject="CN=<FQDN of managed computer>"



KeyLength=2048



KeySpec=1



KeyUsage=0xf0



MachineKeySet=TRUE



[EnhancedKeyUsageExtension]



OID=1.3.6.1.5.5.7.3.1



OID=1.3.6.1.5.5.7.3.2

Note: You should enter the FQDN name of your managed computer into the second line after “=” sign. For non-domain computers, FQDN equals NetBIOS name. Example: Subject="CN=MyWorkGroupPC".

1. Save the file with an .inf file name extension, for example OpsMgrConfig.inf.
   
   
   
   Note: It is a common mistake to create the file in Notepad and save the file as OpsMgrConfig.inf.txt. To prevent this, change the file type to All Files from the default of Text Documents (*.txt).
2. Close Notepad.

↑ Back to the top

Create a request file to use with an Standalone Certification Authority

1. Click Start, click All Programs, Accessories and then click Command Prompt.
   
   
   
   Note: If User Account Control is enabled run Command Prompt window by choosing Run as Administrator command from the shortcut’s context menu. If prompted enter local Administrator password or just press Yes on consent prompt.
2. In the Command Prompt window run the following command:

CertReq –New –f path\OpsMgrConfig.inf path\OpsMgr_%computername%.req

Note: you should enter a valid path for INF and REQ files. Request file should not exist yet when you run the command. It is created when you run the command.

1. Type Exit in Command Prompt window and press Enter.
2. Locate created OpsMgr_%computername%.req file and transfer it back to your Certification Authority.

↑ Back to the top

Submit a request file to Standalone Cetrtification Authority

1. Log on to the computer that acts as a Issuing Standalone Certification Authority with Certification Authority administrator or Certification Authority manager privileges.
2. On the Windows desktop, click Start, Administrative Tools and click Certification Authority. If User Account Control is enabled, enter required account password or just click Yes on consent window.
3. In the Certification Authority window select certification authority name, click Action, click All Tasks and then click Submit a new request.
4. In the Open request file window locate request file and click Open.
   
   
   
   Note: The request file is the one with .REQ file name extension you prepared on the previous step.
5. Now this request is waiting for approval. In the same console expand your CA name and select Pending Requests. Locate the request you submitted (typically it should be the only pending request). Click Action, All Tasks and click Issue.
6. If request is issued Save Certificate window will appear. Save certificate to a file, for example ManagedComputerName_cert.cer file.
7. Close Certification Authority snap-in.
8. Transfer this file back to the managed computer.

↑ Back to the top

Install issued certificate to managed computer

1. Log on to the managed computer with local Administrator permissions.
2. Click Start, click All Programs, Accessories and then click Command Prompt.
   
   
   
   Note: If User Account Control is enabled run Command Prompt window by choosing Run as Administrator command from the shortcut’s context menu. If prompted enter local Administrator password or just press Yes on consent prompt.
3. In the Command Prompt window run the following command:
   
   
   
   
   
   
   
   Certreq –accept path\%computername%_cert.cer

Note: You should enter a valid path for the certificate file.

If no error are displayed in CMD window proceed to the next step.

↑ Back to the top

Import certificates using MOMCertImport

1. At the command prompt, type <drive_letter>: (where <drive_letter> is the drive where the Operations Manager 2007 installation media is located. E.g. type “d:” without quotes), and then press ENTER.
2. Type cd \SupportTools\i386 and then press ENTER.
   
   
   
   Note: On 64-bit computers, type cd \SupportTools\amd64
3. Run the following command:
   
   
   
   
   
   
   
   MOMCertImport /SubjectName %computername%
   
   
   
   
4. If command returns successful status, type Exit to close Command Prompt window.

↑ Back to the top

Scenario 2

Certification Authority server is configured as Enterprise CA and running one of the following operating systems: Windows Server 2003/2003 R2/2008/2008 R2.

Note: Windows Server 2003, Windows Server 2003 R2 and Windows Server 2008 Standard Edition don’t support version 2 templates.

↑ Back to the top

Prepare certificate template

1. Log on to the computer that acts as an Issuing Enterprise Certification Authority with Enterprise Admin privileges.
2. On the Windows desktop, click Start, and then click Run.
3. In the Run dialog box type mmc, and then click OK. If User Account Control is enabled, enter required account credentials or just click Yes on consent window.
4. In the Console1 window, click File, and then click Add/Remove Snap-in.
5. In the Add/Remove Snap-in dialog box, click Add.
6. In the Add Standalone Snap-in dialog box, click Certificate Templates.
7. In the Certificate Templates window locate the temlate named Computer.
8. Click Action and then click Duplicate Template. If prompted, select Windows Server 2003, Enterprise Edition.
9. In Properties of New Template window in General tab specify new template name. For example, OpsMgrAgentV2.
10. Switch to Subject Name tab and select Supply in the request.
11. Switch to Security tab.
12. Add a custom global or universal group that contains Certification Authority managers or Certification Authority administrators, and assign the group Read and Enroll permissions.
13. Click Apply and then click Ok to save changes to new template and close Certificate Templates window.

↑ Back to the top

Add new template to Issuing Enterprise CA

1. Log on to the computer that acts as Issuing Enterprise CA with Certification Authority administrator permissions.
2. On the Windows desktop, click Start, click Administrative Tools and click Certification Authority. If User Account Control is enabled, enter required account credentials or just click Yes on consent window.
3. Expand your Certification Authority name and select Certificate Templates.
4. In the Certificate Templates click Action, New and Certificate template to issue.
5. In the Enable Certificate Templates window locate custom template (in our example this is OpsMgrAgentV2) and click Ok.

↑ Back to the top

Prepare certificate request template

1. Log on to the managed comuter with local Administrator privileges.
2. Click Start, and then click Run.
3. In the Run dialog box, type Notepad, and then click OK.
4. Paste the following into the notepad window:

[NewRequest]



Subject="CN=<FQDN of managed computer>"



KeyLength=2048



KeySpec=1



KeyUsage=0xf0



MachineKeySet=TRUE



[RequestAttributes]



CertificateTemplate="OpsMgrAgentV2"

Note: You should enter the FQDN name of your managed computer into the second line after “=” sign. For non-domain computers, FQDN equals NetBIOS name. Example: Subject="CN=MyWorkGroupPC".

Note: In CertificateTemplate field you must enter certificate template common name rather display name.

1. Save the file with an .inf file name extension, for example OpsMgrConfig.inf.
   
   
   
   Note: It is a common mistake to create the file in Notepad and save the file as OpsMgrConfig.inf.txt. To prevent this, change the file type to All Files from the default of Text Documents (*.txt).
2. Close Notepad.

↑ Back to the top

Create a request file to use with an Enterprise CA

1. Click Start, click All Programs, Accessories and then click Command Prompt.
   
   
   
   Note: If User Account Control is enabled run Command Prompt window by right-clicking on CMD icon and pressing Run as Administrator. If prompted enter local Administrator password or just press Yes on consent prompt.
2. In the Command Prompt window run the following command:

CertReq –New –f path\OpsMgrConfig.inf path\OpsMgr_%computername%.req

Note: You should enter a valid path for INF and REQ files. Request file should not exist when you run the command.

1. Type exit to close Command Prompt window.

Locate created OpsMgr_%computername%.req file and transfer it back to where you have access to your Certification Authority.

↑ Back to the top

Submit a request file to Enterprise Cetrtification Authority

1. Log on to the computer that acts as an Issuing Enterprise Certification Authority with Certification Authority administrator or Certification Authority manager permissions.
2. On the Windows desktop, click Start, click Administrative Tools and click Certification Authority. If User Account Control is enabled, enter required account credentials or just click Yes on consent window.
3. In the Certification Authority window select Certification Authority name, click Action, click All Tasks and then click Submit a new request.
4. In the Open request file window locate OpsMgr_ManagedComputerName.req file and click Open.
5. By default Enterprise Certification Authority immediately issue or deny supplied request.
6. If request is issued Save Certificate window will appear. Save certificate to a file, for example ManagedComputerName_cert.cer file.
7. Close Certification Authority snap-in.
8. Transfer this file back to the managed computer.

↑ Back to the top

Install issued certificate to managed computer

1. Log on to the managed computer with local Administrator permissions.
2. Click Start, click All Programs, Accessories and then click Command Prompt.
   
   
   
   Note: If User Account Control is enabled run Command Prompt window by choosing Run as Administrator command from the shortcut’s context menu. If prompted enter local Administrator password or just press Yes on consent prompt.
3. In the Command Prompt window run the following command:
   
   
   
   
   
   
   
   Certreq –accept path\%computername%_cert.cer

Note: you should enter a valid path for the certificate file.

If no error are displayed in CMD window proceed to the next step.

↑ Back to the top

Import certificates using MOMCertImport

1. Click Start, click All Programs, Accessories and then click Command Prompt.
   
   
   
   Note: If User Account Control is enabled run Command Prompt window by choosing Run as Administrator command from the shortcut’s context menu. If prompted enter local Administrator password or just press Yes on consent prompt.
2. At the Command Prompt, type <drive_letter>: (where <drive_letter> is the drive where the Operations Manager 2007 installation media is located. E.g. type “d:” without quotes), and then press ENTER.
3. Type cd \SupportTools\i386 and then press ENTER.
   
   
   
   Note: On 64-bit computers, type cd \SupportTools\amd64
4. run the following command:
   
   
   
   
   
   
   
   MOMCertImport /SubjectName %computername%
   
   
   
   
5. If command returns successful status type Exit to close Command Prompt window.

↑ Back to the top