The following is a "mini-guide" I developed to help understand, obtain and troubleshoot OpsMgr communication using certificates. This information is based on my experience(+struggle!) and understanding of the use of certificates to authenticate and process data flow for OpsMgr 2007 and 2012. This guide contains information about:
OpsMgr Communication using Certificate Overview
Communication between OpsMgr servers (MS, GTW, Agents) in untrusted domains is done through certificates. So computers need its own OpsMgr certificates. OpsMgr uses 2 certificates on each computer, only one must be provided by a trusted authority
OpsMgr Certificate X.509 (generated by a trusted authority)
This certificate is located in the Local Computer / Personal / Certificates Container
OpsMgr Self-Signed Certificate (auto-generated by MOMCertImport or agent restart)
This certificate is located in the Local Computer / Operations Manager / Certificates Container
OpsMgr Certificate Requirements
All servers involve in the authentication using a certificate must trust the certificate authority where the certificate originate. They must have the CA root chain of the CA in their trusted root authorities. (Does not have to be same Root CA, but Root CA must be trusted by source and target)
Each computer must have its own certificate loaded in the Local Computer Personal store. (See sample screenshot in Appendix)
Must include the Private Key
Subject Name must match computer FQDN (CN=<ServerName>)
Must be trusted all the way to the root (Chain)
Certificates configuration options:
Hash Algorithm does not need to be same between source and target. (Ex. SHA1 on MS and SHA256 on GTW works)
Key size can be 2048 and 4096
Does not appear to validate with CRL. Even if CRL distribution point is not available, Cert load successfully. (Also tried Clearing CRL Cert Cache)
OpsMgr Self-Signed Certificate Requirements
If OpsMgr Self-Signed Cert (MOMCertImport) is not there, data flow is not being process
OpsMgr Self-Signed certificate is not used for authentication.
MOMCerImport seems to be an optional task as restarting the agent also does generate the OpsMgr self-signed certificate
Obtaining a Certificate from Win2008 Enterprise CA
This section is based on the following TechNet article with some additional details to help simplify the process
How to Obtain a Certificate Using Windows Server 2008 Enterprise CA http://technet.microsoft.com/en-us/library/hh467900.aspx
Create an OpsMgr Certificate Template (Enterprise CA)
Download and Import Trusted Root (CA) Certificate (and Sub CA)
Request OpsMgr Certificate
Import OpsMgr Certificate
Note: A PKI Administrator privileges is required to perform the following steps.
To create a certificate template
On the computer that is hosting your enterprise CA, on the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
In the navigation pane, expand the CA name, right-click Certificate Templates, and then click Manage.
In the Certificate Templates console, in the results pane, right-click IPsec (Offline request), and then click Duplicate Template.
In the Duplicate Template dialog box, select
Windows Server 2008 Enterprise Edition
In the Properties of New Template dialog box, on the General tab, in the Template display name text box, type a new name for this template; for example, <OpsMgrCert>.
On the Request Handling tab, select Allow private key to be exported.
Click the Extensions tab, and in Extensions included in this template, click Application Policies, and then click Edit.
In the Edit Application Policies Extension dialog box, click IP security IKE intermediate, and then click Remove.
Click Add, and in the Application policies list, hold down the CTRL key to multi-select items from the list, click Client Authentication and Server Authentication, and then click OK.
In the Edit Application Policies Extension dialog box, click OK.
Click the Security tab and ensure that the Authenticated Users group has Read and Enroll permissions, and then click OK.
Close the Certificate Templates console.
To add the template to the Certificate Templates folder
On the computer that is hosting your Enterprise CA, in the Certification Authority snap-in, right-click the Certificate Templates folder, point to New, and then click Certification Template to Issue.
In the Enable Certificate Templates box, select the certificate template that you created
To download the Trusted Root (CA) certificate
Log on to a host in the domain. (Any)
Start Internet Explorer, and connect to the computer hosting Certificate Services.
On the Welcome page, click Download a CA Certificate, certificate chain, or CRL.
On the Download a CA Certificate, Certificate Chain, or CRL page, click Encoding method, click Base 64, and then click Download CA certificate chain.
In the File Download dialog box, click Save and save the certificate
When the download has finished, close Internet Explorer.
To import the Trusted Root (CA) certificate
Logon to the host you want to import the Root CA.
Click Start, and then click Run.
In the Run dialog box, type mmc, and then click OK.
In the Console1 window, click File, and then click Add/Remove Snap-in.
In the Add/Remove Snap-in dialog box, click Add.
In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.
In the Certificates snap-in dialog box, select Computer account, and then click Next.
In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish.
In the Add Standalone Snap-in dialog box, click Close.
In the Add/Remove Snap-in dialog box, click OK.
In the Console1 window, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.
Right-click Certificates, select All Tasks, and then click Import.
In the Certificate Import Wizard, click Next.
On the File to Import page, click Browse and select the location where you downloaded the CA certificate file, for example: TrustedRootCA.p7b, select the file, and then click Open.
On the File to Import page, select Place all certificates in the following store and ensure that Trusted Root Certification Authorities appears in the Certificate store box, and then click Next.
On the Completing the Certificate Import Wizard page, click Finish.
Note: Perform for each computer that needs a certificate
To create a setup information (.inf) file
In the Run dialog box, type Notepad, and then click OK.
Create a text file containing the following content: (Modify bold text)
[NewRequest] Subject="CN=<FQDN of computer you are creating the certificate, for example, the gateway server or management server.>" Exportable=TRUE KeyLength=2048 KeySpec=1 KeyUsage=0xf0 MachineKeySet=TRUE [EnhancedKeyUsageExtension] OID=126.96.36.199.188.8.131.52.1 OID=184.108.40.206.220.127.116.11.2
Save the file with an .inf file name extension. Ex.: OpsMgrTemplate.inf
To create a request file to use with an enterprise CA
Note: The CertReq command MUST BE PERFORMED on the computer the certificate needs to be installed. (Each computer must have its own certificate (MS, GTW, Agent)
On the host you need a certificate for, copy the .inf file created in the previous section and update the subject.
In a command window, type:
CertReq –New –f OpsMgrTemplate.inf Server1.req
To submit a request to an enterprise CA
Note: Request can be submitted manually or using the Web Interface, choose the one you prefer from any host in the domain.Manually submitting a request:
CertReq -submit -attrib certificatetemplate:OpsMgrCert Server1.req
Submitting a request using the Web interface:
On the Microsoft Active Directory Certificate Services Welcome screen, click Request a certificate.
On the Request a Certificate page, click advanced certificate request.
On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
On the Submit a Certificate Request or Renewal Request page, in the Saved Request text box, paste the contents of the request file from the previous procedure. Ex.: Server1.req
In the Certificate Template select the certificate template that you created
Then click Submit.
On the Certificate Issued page, select Base 64 encoded, and then click Download certificate.
In the File Download – Security Warning dialog box, click Save, and save the certificate
Close Internet Explorer.
Note: Request a certificate for each MS, GTW and Agents(Untrusted) servers
To import the certificate into the certificate store
On the computer hosting the Operations Manager role for which you are configuring the certificate, click Start, and then click Run.
In the Console1 window, click File, and then click Add/Remove Snap-in .In the Add/Remove Snap-in dialog box, click Add.
In the Console1 window, expand Certificates (Local Computer), expand Personal, and then click Certificates.
On the File to Import page, click Browse and select the location where you downloaded the CA certificate file, for example: Server1.cer, select the file, and then click Open.
On the File to Import page, select Place all certificates in the following store and ensure that Personal appears in the Certificate store box, and then click Next.
Create the self-signed certificate into Operations Managers container using MOMCertImport
Log on to the computer where you installed the certificate with an account that is a member of the Administrators group.
Double-click on the MOMCertImport.exe tool
Select the Certificate imported earlier
Restart System Center Management Service.
Sample Validation of a Certificate on a Gateway server
Confirm an event 20053 in Operations Manager event log exist which says the certificate is loaded successfully.
Gateway Approval process to initiate communication from MS to Gateway Server
IMPORTANT: New in Operations Manager 2012, Management Server can initiate communication to the Gateway server, so no need to open port TCP 5723 in the Firewall from GTW to MS.
Follow the steps outline in the section How to Deploy a Gateway Server on TechNet, except during the gateway approval process, follow the step below.
To run the gateway approval tool
On the management server that was targeted during the gateway server installation, log on with the Operations Manager Administrator account.
Open a command prompt, and navigate to the Operations Manager installation directory or to the directory that you copied the Microsoft.EnterpriseManagement.gatewayApprovalTool.exe to.
At the command prompt, run:
Microsoft.EnterpriseManagement.gatewayApprovalTool.exe /ManagementServerName=<managementserverFQDN> /GatewayName=<GatewayFQDN> /Action=Create /ManagementServerInitiatesConnection=True
If the approval is successful, you will see the approval of server <GatewayFQDN> completed successfully.
If you need to remove the gateway server from the management group, run the same command, but substitute the /Action=Delete flag for the /Action=Create flag.
Open the Operations console to the Monitoring view. Select the Discovered Inventory view to see that the gateway server is present.
This posting is provided "AS IS" with no warranties and confers no rights.
Thanks for sharing.
Thank you very much.
Thanks for share Drougeau.
why we use certificate