Troubleshooting OpsMgr 2007 and OpsMgr 2012 certificate issues with PowerShell

Troubleshooting OpsMgr 2007 and OpsMgr 2012 certificate issues with PowerShell

  • Comments 4
  • Likes

The steps for configuring certificates in Operations Manager are numerous and one can easily get them confused. I see posts to the newsgroups and discussion lists regularly trying to troubleshoot why certificate authentication is not working, perhaps for a workgroup machine or gateway. Sometimes it takes 3 or 4 messages back and forth before I or anyone else can diagnose what the problem actually is but once this is finally done we can suggest how to fix the problem.

In an attempt to make this diagnosis stage eaiser, I put together a PowerShell script that automatically checks installed certificates for the needed properties and configuration.  If you think everything is set up correctly but the machines just won't communicate, try running this script on each computer and it will hopefully point you to the issue. I have tried to provide useful knowledge for fixing the problems.

This script is for stand-alone Powershell 1.0 - it does not require the Ops Mgr PowerShell snapins.

Please leave a comment if you find bugs or if the script gives a faulty verdict for you - either it says your setup is fine but actually it's not working OR it says your setup is busted but the machines communicate anyways.  I appreciate this feedback and will use it to improve and update the script.

Thanks!  

Lincoln

Update 2/6/2009:  Added some fixes to the script thanks to feedback from a few sources and a bit of extra testing.

Update 7/1/2009: Fix for computer name checking for workgroup machines

Attachment: OMv3CertCheck.ps1
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Great post Lincoln, config certificates is really a hard process, so with this porwershell tool we can have more shure.

    Thank you so much.

    Cleber Marques

    Operations Manager 2007 MVP

  • I am getting blue page, this I think is expolorer has a fault.

  • Hello, i am getting below error message while running the script. can you please help!

    PS C:\Users\Administrator.VAACRWDMZ> C:\Users\Administrator.VAACRWDMZ\Desktop\OMv3CertCheck.ps1
    Checking that there are certs in the Local Machine Personal store...
    Verifying each cert...

    Examining cert - Serial number 2E9DF449000100000169
    ---------------------------------------------------
    Cert subjectname
    Private key
    Expiration
    Enhanced Key Usage Extension
    Key Usage Extensions
    KeySpec
    Serial number written to registry
    The serial number written to the registry does not match this certificate
    Expected registry entry: 69010000010049F49D2E
    Actual registry entry: 6A0100000100D71AFB2E
    Certification chain
    There is a valid certification chain installed for this cert,
    but the remote machines' certificates could potentially be issued from
    different CAs. Make sure the proper CA certificates are installed
    for these CAs.