Obtaining Certificates for Non-Domain Joined Agents Made Easy With Certificate Generation Wizard

Obtaining Certificates for Non-Domain Joined Agents Made Easy With Certificate Generation Wizard

  • Comments 13
  • Likes

 

We have created a new UI tool to make obtaining mass certificates easy.

 

Here at OpsMgr, we understand the pain that you have to go through to configure certificate authentication to deploy non-domain joined agents.  There are many things we've provided for you to make obtaining certificates easier.  However, we know we're far from getting to that seamless solution, and are continually providing new tools to help facilitate this process. 

 

Here's a quick lowdown: To mutually authenticate the non-domain joined agent, both the non-domain joined agent and the server both require a personal computer certificate and a root CA certificate.  This can be accomplished through two basic steps:

 

1.  Request and acquire the certs from a Certification Authority (CA). 

Your company may already have an Enterprise CA set up if using PKI, but if not, you can install a CA (just add it as a role, like you do any other role in Win2K3 and up) and request certificates from there. 

 

2.  Install the certificates onto the local machine certificate store of the agent and server computer.  Run MOMCertImport.exe tool.

This step is required to, in a sense, "register" your certificates to your computer.  The MOMCertImport tool will alert OpsMgr of which certificates you would like to use.

 

To make it easy, we have developed a tool (attached below as CertGenBinaries.zip) to help simplify the process.

 

CertGenWizard.exe is a wizard tool which will take your CA information as input (it isn't required if you are running the wizard on the box with the CA), take in the computer names (has to be FQDNs), and send out a request for the certificates you need.  Now, you no longer have to fill out the Certificate Request form or enter parameters or connect to the web enrollment service.  Once the certificates are approved, there is a Retrieve button in the CertGenWizard which will allow you to retrieve the certificates that you have requested.  On top of the personal certificates, the wizard will retrieve the root CA certificate.

 

The biggest benefit to this tool is the added ability to request multiple certificates at once.  If you have 100 non-domain joined agents that you need to set up cert auth for, you can simply request all 100 machine certificates at once, retrieve them all, and manually bring them over to your other machines. 

 

Once you have brought them to your other machines, CertInstaller.exe is a second tool that will install the certificates into the local machine store of your computer and run MOMCertImport.exe for you.  Note: Install OpsMgr Agent FIRST and then run the tool!

 

Below are the steps to using the tool:

 

Pre-requisites:

-.NET Framework 3.0

-A Certification Authority (Win2K3/Win2K8 Enterprise/Stand-alone CA)

-If it is an Enterprise CA (an OpsMgr certificate template must be created)

-make sure createReqFile.bat is in the same directory as the CertGenWizard.exe

-MOMCertImport.exe must be in the same directory as CertInstaller.exe.

 

Using CertGenWizard.exe:

 

Installing the wizard:

  1. Download the .zip file and unzip it on to a computer with a CA or that has access to a CA.
  2. Run CertGenWizard.exe.

 

Requesting certificates:

  1. Discover your CA page - Supply your CA information to find a particular CA to use.  If you don't have a CA installed, you'll have to install one yourself.  Note: The wizard won't continue if it doesn't detect a CA.
  2. Certificate Request page - Enter the FQDNs of the computers you need certificates for (all the agents and servers), a save directory.  Note: If you have an Enterprise CA, a drop down box will appear and you must select a certificate template.  This must be created beforehand by your CA admin.  The instructions to create an OpsMgr cert template are included in the OpsMgr Security Guide.
  3. Hit Create.

Notes: 

A processing page will pop up showing the status of each certificate request.

The root CA certificate will also be downloaded at this level and saved as RootCertificate.cer. 

 

Retrieving certificates:

  1. If auto-approve is on, your certificates will be retrieved automatically.  You're done.
  2. Otherwise, the pending certificates will be displayed in the next screen.
  3. Ask your CA admin to approve the requests.  At this point you can close the wizard and come back to it.  If you are the CA Admin, log on to your CA machine, run cmd --> certsrv.msc to open your CA console.  Go to Pending Requests, and find the request ID of the certificates you have requested and issue them.  Close the console once you're done.
  4. Open your wizard if it's closed, view your pending Certificate Requests and hit Retrieve.

Status:

The final page will alert you of your status.  It will alert you to say which certificates have been denied, which have been approved, and which still are pending.

 

Using the Certificate Installer:

Note: Install the OpsMgr agents BEFORE running the Installer.

 

What you need on the agent machine:

  • CertInstaller.exe
  • The generated machine certificate (ex. server1.contoso.com.cer)
  • Root certificate (RootCertificate.cer)
  • MOMCertImport.exe.
  1. Load the machine certificate.
  2. Load the root certificate.
  3. Click install.

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included utilities are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

 

-Adam Kiu

System Center Operations Manager

Attachment: CertGenBinaries.zip
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • PingBack from http://www.systemcenterforum.org/certgenwizardexe-a-new-way-to-configure-certificates-in-operations-manager-2007/

  • Wouldn't the new OpsManJam site be the best place for this?

  • The OpsMgr 2007 product team just announced their new Certificate Generation Wizard over on the MOMTeam

  • To mutually authenticate the non-domain joined agent, both the non-domain joined agent and the server

  • Tool doesn't work when CA-Name has spaces in it.

  • What dose this mean?

    Event Type: Error

    Event Source: OpsMgr Connector

    Event Category: None

    Event ID: 20077

    Date: 8/28/2008

    Time: 10:18:20 AM

    User: N/A

    Computer: NAMEMASK

    Description:

    The certificate specified in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings cannot be used for authentication, because the certificate cannot be queried for property information.  The specific error is 0x80092004(%3).

    This typically means that no private key was included with the certificate.  Please double-check to ensure the certificate contains a private key.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

  • Qiang - read this... looks like you screw up something:

    http://joeelway.spaces.live.com/blog/cns!2095EAC3772C41DB!983.entry

  • Put "" around the CA name if it contains spaces.

  • Tom, thanks for your help!

    That blog give a solution for problem EVENT ID 21036, "The error is The credentials supplied to the package were not recognized

    (0x8009030D). "

    What hit me is problem EVENT ID 20077, "the certificate cannot be queried for property information.  The specific error is 0x80092004(%3)."

    When I use .PFX cert instead of .CER cert, it works well. Why?

  • Hi,

    I ran the program and was able to supply the computer name and then selected the template.  However, as soon as I hit the "Create" button, I received an error saying that "The system cannot find the file specified, 0x80070002(WIN32: 2) {file name.req}". We ran Enterprise CA.  Any idea?

  • KC, did you run the tool on Windows XP?

    If so, that won't work. Try running it on a W2k3 SP1 server, W2k8 server or a Vista box...

  • KC, you may want to try and replace Certutil.exe found in CerGenBinaries.zip with the Certutil.exe from the W2k3 Admin Pack.

    You can download the admin pack from: http://www.microsoft.com/downloads/details.aspx?FamilyID=C16AE515-C8F4-47EF-A1E4-A8DCBACFF8E3&displaylang=en

  • В частности, были освещены вопросы защиты права собственности при ?государственных нужд

    Начал работу <a href="http://privlaw.ru">портал школы российского частного права</a>.

    Приглашаем всех заинтересованных в образовании, новостях в сфере права, а так же тех, кто заинтересован в повышении своей квалификации!

    Дискуссии, события, консультации и многое другое!

    <a href="http://all-siding.ru/index.php?section_id=56">1997</a> 2y

    <a href="http://all-siding.ru/index.php?section_id=2">руководство и сотрудники</a> 2a