SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/

Installing the Root CA & Creating SCOM Certificate Template

Recently we jumped into a situation wherein we did setup a SCOM 2016 infrastructure in an

organization however we got request to monitor few Workgroup servers as well.

System Center Operations Manager requires mutual authentication be performed between agents and

management servers prior to the exchange of information between them. To secure the authentication

process between the two, the process is encrypted. When the agent and the management server reside

in the same Active Directory domain or in Active Directory domains that have established trust

relationships, they make use of Kerberos V5 authentication mechanisms provided by Active Directory.

When the agents and management servers do not lie within the same trust boundary, other

mechanisms must be used to satisfy the secure mutual authentication requirement.

In Operations Manager, this is accomplished using X.509 certificates issued for each computer. i.e.

Certificates must be issued and installed on all the agent servers and the management servers.

The following illustration shows the authentication relationships in a management group using

certificate authentication.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ So, let’s start installing and configuring the Certificate Authority Server and after that we will create

SCOM Certificate Template.

Note: If you already have an Enterprise Root CA then you not need to install a new one. You can directly

create SCOM Certificate Template.

Install & Configure Certificate Authority Server

1: Login on to Domain Controller Server and open Server Manager.

2: Click on Manage and select Add Roles and Features option.

3: Jump to Server Roles option by clicking Next button three times.

4: Select Active Directory Certificate Services role and click Next.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 5: Click Next.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 6: Click Next.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 7: Select below Role Services and click Next.

• Certificate Authority

• Certificate Enrollment Web Service

• Certificate Authority Web Enrollment

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 8: Click Next.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 9: Leave the options to default and click Next.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 10: Click Install button.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ The installation may take few minutes to complete.

11: Click Close button to close the Add Roles and Features Wizard.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 12: Open Server Manager and click on Notifications flag.

13: Click Configure Active Directory Certificate Services on the destination server option.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 14: Specify the credentials to configure role services and click Next.

Note: Make sure the Credentials you are using to install mentioned roles services belong to the local

Administrators group and Enterprise Admins group.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 15: Select below Role Services and click Next.

• Certification Authority

• Certification Authority Web Enrollment

Note: Certificate Authority Web Enrollment and Certificate Enrollment Web Service can’t be installed

simultaneously so we will be installing Certificate Enrollment Web Service after configuring AD CS.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 16: Select Enterprise CA and click Next.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 17: Select Root CA and click Next.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 18: Select Create a new private key and click Next.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 19: Leave the cryptographic provider and key length to default.

20: Change the hash algorithm to SHA256 and click Next.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 21: Change the Common name for this CA (if required) and click Next.

We are keeping it to default.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 22: Specify the validity period for the certificate generated for this CA and click Next.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 23: Specify the database locations and click Next.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 24: Review the configuration and click Configure button.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 25: Both the selected roles should be configured within few seconds.

26: Click Close button to close the AD CS Configuration Wizard.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ Soon after clicking the Close button for AD CS Configuration Wizard, you should get prompt to configure

additional role services.

27: Click Yes button as we need to install the remaining role Certificate Enrollment Web Service.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 28: Specify the appropriate credentials as we provided in Step 14 and click Next button.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 29: Select Certificate Enrollment Web Service option and click Next.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 30: Leave the options to default and click Next.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 31: Leave the option to default and click Next.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 32: Specify the service account, it must be a member of the IIS_IUSRS group.

33: Click Next.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 34: Specify the Server Authentication Certificate and click Next.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 35: Click Configure button.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 36: AD CS Configuration is done. Click Close button to close the AD CS Configuration Wizard.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ Create SCOM Certificate Template

This is most common scenario wherein the organization has an Enterprise CA however don’t have the

SCOM Certificate Template.

So, if you have Enterprise CA and don’t have SCOM Certificate Template, you need to follow these steps.

1: Login on to Enterprise CA Server and open Certificate Authority.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 2: Right click Certificate Templates folder and click Manage.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 3: Right click IPSec (Offline request) and click Duplicate Template.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 4: Leave the Compatibility tab fields to default.

5: Click on General tab and provide your template a suitable name.

6: Adjust the Validity period so it adheres to the security policy of your company.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 7: Click on Request Handling tab and put check mark on Allow private key to be exported option.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 8: Click on Cryptography tab and set Minimum key size to 1024.

9: Select as Providers Microsoft RSA SChannel Cryptographic Provider and Microsoft Enhanced

Cryptographic Provider v 1.0

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 10: Click on Application Policies and click Edit button.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 11: Select the default policy and click Remove button.

12: Click on Add button.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 13: Hold the Ctrl key on the keyboard and select below Application policies

• Client Authentication

• Server Authentication

14: Click OK twice.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 15: Grant Read and Enroll access to Authenticated Users.

16: Click on Add button and click Object Types.

17: Put check mark on Computers and click OK.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 18: Add SCOM Management Server here and click OK.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 19: Select the added computer account, grant Read and Enroll permissions.

20: Click Apply and OK to save the changes.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 21: Open Certificate Authority and right click Certificate Templates.

22: Click New and select Certificate Template to Issue.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 23: Select the SCOM template we created and click OK button.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ SCOM template should be visible under Certificate Templates folder now.

SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ Launch the Certificate Server Website (e.g. https://scmvpcd/Certsrv) on SCOM Management server (The

computer account which was granted Read and Enroll access while creating the SCOM template).

SCOM template should be visible there.

TIP: Disable the IE Enhanced Security Configuration under Server Manager so you the Certificate Server

Website can load properly and you get all the options.

That’s it.

SCOM Certificate template is ready and we are good to for discovering Workgroup servers in our SCOM

environment.

In my next article, I will show you how to install the certificate using SCOM template and discover

Workgroup servers in SCOM.

Hope this helps.