The steps for configuring certificates in Operations Manager are numerous and one can easily get them confused. I see posts to the newsgroups and discussion lists regularly trying to troubleshoot why certificate authentication is not working, perhaps for a workgroup machine or gateway. Sometimes it takes 3 or 4 messages back and forth before I or anyone else can diagnose what the problem actually is but once this is finally done we can suggest how to fix the problem.
In an attempt to make this diagnosis stage eaiser, I put together a PowerShell script that automatically checks installed certificates for the needed properties and configuration. If you think everything is set up correctly but the machines just won't communicate, try running this script on each computer and it will hopefully point you to the issue. I have tried to provide useful knowledge for fixing the problems.
This script is for stand-alone Powershell 1.0 - it does not require the Ops Mgr PowerShell snapins.
Please leave a comment if you find bugs or if the script gives a faulty verdict for you - either it says your setup is fine but actually it's not working OR it says your setup is busted but the machines communicate anyways. I appreciate this feedback and will use it to improve and update the script.
Update 2/6/2009: Added some fixes to the script thanks to feedback from a few sources and a bit of extra testing.
Update 7/1/2009: Fix for computer name checking for workgroup machines
Great post Lincoln, config certificates is really a hard process, so with this porwershell tool we can have more shure.
Thank you so much.
Operations Manager 2007 MVP
I am getting blue page, this I think is expolorer has a fault.
Hello, i am getting below error message while running the script. can you please help!
PS C:\Users\Administrator.VAACRWDMZ> C:\Users\Administrator.VAACRWDMZ\Desktop\OMv3CertCheck.ps1
Checking that there are certs in the Local Machine Personal store...
Verifying each cert...
Examining cert - Serial number 2E9DF449000100000169
Enhanced Key Usage Extension
Key Usage Extensions
Serial number written to registry
The serial number written to the registry does not match this certificate
Expected registry entry: 69010000010049F49D2E
Actual registry entry: 6A0100000100D71AFB2E
There is a valid certification chain installed for this cert,
but the remote machines' certificates could potentially be issued from
different CAs. Make sure the proper CA certificates are installed
for these CAs.