Tag Archives: SCOM2012

Installing Root Certificate Authority and Creating SCOM Template

System Center Operations Manager can manage the domain joined servers/machines using the default Kerberos protocol when the port 5723 is open. The machines which are not joined to the domain ( workgroup computers ) or the ones which are in a domain which doesn’t trust  Ops Manager can be managed by importing certificates in both Gateway/Management Server and the client machine

This blog features the configuration of Certificate Authority role and creating Certificate Template

CA Server : AD.kartik.com

Login to the Active Directory Server as a domain Admin and configure the CA role

Navigate to Server manager and select add roles and features

Select Active Directory Certificate Services role

1

Select Certificate Authority, Certificate Enrollment Web Service, Certification Authority Web Enrollment.

2

Specify credentials to configure AD CS Role

3.png

 

4.png

Select Enterprise CA

5.png

Specify the CA type as Root CA

 

6.png

Select the option create a new private key

7.png

 

Select the default options for Cryptiographic provider and Key Length and select SHA256 as hash algorithm

8.png

Specify the name to the Certificate Authority

9.png

Specify the validity period as per the Company Policy

10.png

Choose the  default database locations

11.png

verify the selected options

12.png

 

13.png

Configure the additional role services

14.png

Specify credentials to configure role services

15.png

 

16.png

Select the authentication type as windows integrated authentication

17.png

Specify the service account for CES

18.png

 

19.png

Select Certificate Authority from the Tools menu in Server Manager

20.png

Click on Certificate Templates and select Manage

22

Select the template Ipsec Offline request and select duplicate template

23.png

Leave the compatibility tab to default

Give the appropriate Template Name under general Tab

Select the validity period as per the Security Policy

24.png

Under Request Handling, check Allow Private Key to be exported

26.png

Under Cryptography Select as Providers Microsoft RSA SChannel Cryptographic Provider and Microsoft Enhanced Cryptographic Provider v 1.0

 

27

Navigate to Extensions tab and select Application Policies , click edit and select

28.png

Select Client Authentication and Server Authentication

29.png

Navigate to security tab, select Authenticated users and click on Add

30.png

Select Object types as computers

31.png

Search for  SCOM Management Servers

32.png

Grant Read and Enroll permissions to the Management Servers

33.png

Go back to the Certificate Authority Console, Select Certificate Template, Click on New Certificate Template to Issue

34.png

Select the Template which was created before

35.png

Launch https://ad/certsrv (https://adservername/Certsrv) from Management Server and select advanced certificate request

36.png

The certificate Template should be visible here

37.png

 

 

 

 

 

Advertisements