Friday, June 18, 2021

SCOM Gateway Certificates

It took me forever to put together this definitive step-by-step on how to create the SCOM Gateway Certificates template.  There is a lot out there about the fact that you need them, how to install them, etc.  But when you need to give someone instructions on how to create the template that information is hard to come by.  These instructions are for a Microsoft CA, obviously if you are using a different Certificate Authority then it will vary but this should still have the essentials that you need.  Enjoy...

On the CA,

1. Select "Manage" under Certificate Templates

2. Select the template "Ipsec Offline request" and select duplicate template

○ Compatibility tab 

§ Leave defaults

○ General Tab

§ Set an appropriate Name (like SCOM Gateway Certrificate Template)

§ Set Validity to 2 years

§ Set Renewal period to 6 weeks

○ Request Handling tab 

§ check Allow Private Key to be exported (this is essential and very important as you will be exporting these to import on the management servers)

○ Cryptography tab

§ select "Providers Microsoft RSA SChannel Cryptographic Provider"

§ Select "Microsoft Enhanced Cryptographic Provider v 1.0"

○ Extensions tab

§ select Application Policies click edit 

§ select Client Authentication and Server Authentication

○ Security tab

§ Under Groups or user names click "Add"

§ Select the object type of "Computer"

§ Search for the management server names

§ Grant Read and Enroll permissions to the Management Servers.  This allows the management servers to auto-renew, you will still have to manually renew the gateways.  Depending upon your AD trust relationships you may be able to add the gateways as well and then they would also be able to auto-renew.  However if that sort of trust exists then you likely did not need the gateway in the first place.  But, point is, there is no harm trying to add the gateways and it may end up helping you.


Go back to the Certificate Authority Console

3. Right-click Certificate Template, select New Certificate Template to Issue

• Select the new template created in step 2


On the management server

1. Launch https://ad/certsrv (https://adservername/Certsrv) from Management Server and select Advanced certificate request

2. Select the certificate template created in step 2.

Certreq inf settings:

[NewRequest]

Subject="CN=<YOUR SERVER FQDN>"

Exportable=TRUE

KeyLength=2048

KeySpec=1

KeyUsage=0xf0

MachineKeySet=TRUE

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1

OID=1.3.6.1.5.5.7.3.2




Posted by at No comments:
Subscribe to: Posts (Atom)