Steve's OM Blog

Requesting and installing a certificate so that the RMS can monitor machines that are not in the Domain or even an truseted domain.

------------Tasks to complete-----------
Request a 3rd Party Certificate with the name in “full computer name”
Use CertReq.exe to generate the request file
On the 3rd Party web interface select a “Web Server Certificate”
Enter the magic codes and the paste in the CSR
Copy and paste the new certificate
Import into the personal certificate store
Import corresponding root and user certificates into the trusted certificate store
Adjust the Enhanced key uses
Run the MOMcertimport tool
Install agent
Approve the manually installed agent in OpsMgr

-------Details--------------------
Log on to the server and find the full computer name
Use this name to request the 3rd Party certificate

Use Certreq.exe with an inf file
CertReq -New -f RequestConfig.inf BinaryRequest.req

-------RequestConfig.inf----------
[NewRequest]
Subject="CN=12345678"
Exportable=TRUE
KeyLength=1024
KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2
-----------------------------------

Generate the Certificate with 3rd Party tool

Copy and paste the certificate into a *.cer file and import into the personal certificate store.

certreq -accept NewCertificate.cer

This seems to work better than importing via the MMC plugin. Other ways make the cert un-exportable

Do the same with the root and user certificates.

Run the most recent version of the MOMCertimport tool. This will import the Certificate’s serial number and restart opsmgr health service.
You should be able to manually select the correct certificate.

Install Agent. Make sure you install the correct version for the processor type

Go to the administration part of the opsmgr console and approve the agent.

------------Problems----------------

1. Certificate not exportable. This is something to do with the original *.inf file or when the certificate was finally imported.
2. Wrong type of certificate. Try adjusting the Enhanced Key Uses.
3. When you re-start the opsmgr agent service you will get an event with id 21021 “No certificate could be loaded or created”. Look at the event just before this one.
4. Confirm HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings\ChannelCertificateSerialNumber is the same as the certificate’s serial number only backwards.
5. Confirm you can communicate over port 5723 to the opsmgr server. (try telnet rms 5723)
6. Look for the event 20053 as this tells you that the cert has been successfully loaded by the agent.

Keywords:-
3rdParty, 3rd-Party, SCOM, 2007, OpsMgr, Operations, Manager, Workgroup, DMZ, Un-trusted