Installing the Root CA & Creating SCOM Certificate Template
Recently we jumped into a situation wherein we did setup a SCOM 2016 infrastructure in an organization however we got request to monitor few Workgroup servers as well.
System Center Operations Manager requires mutual authentication be performed between agents and management servers prior to the exchange of information between them. To secure the authentication process between the two, the process is encrypted. When the agent and the management server reside in the same Active Directory domain or in Active Directory domains that have established trust relationships, they make use of Kerberos V5 authentication mechanisms provided by Active Directory. When the agents and management servers do not lie within the same trust boundary, other mechanisms must be used to satisfy the secure mutual authentication requirement.
In Operations Manager, this is accomplished using X.509 certificates issued for each computer. i.e. Certificates must be issued and installed on all the agent servers and the management servers.
The following illustration shows the authentication relationships in a management group using certificate authentication.
So, let’s start installing and configuring the Certificate Authority Server and after that we will create SCOM Certificate Template.
Note: If you already have an Enterprise Root CA then you not need to install a new one. You can directly create SCOM Certificate Template.
Install & Configure Certificate Authority Server
1: Login on to Domain Controller Server and open Server Manager.
2: Click on Manage and select Add Roles and Features option.
3: Jump to Server Roles option by clicking Next button three times.
4: Select Active Directory Certificate Services role and click Next.
5: Click Next.
6: Click Next.
7: Select below Role Services and click Next.
- Certificate Authority
- Certificate Enrollment Web Service
- Certificate Authority Web Enrollment
8: Click Next.
9: Leave the options to default and click Next.
10: Click Install button.
The installation may take few minutes to complete.
11: Click Close button to close the Add Roles and Features Wizard.
12: Open Server Manager and click on Notifications flag.
13: Click Configure Active Directory Certificate Services on the destination server option.
14: Specify the credentials to configure role services and click Next.
Note: Make sure the Credentials you are using to install mentioned roles services belong to the local Administrators group and Enterprise Admins group.
15: Select below Role Services and click Next.
- Certification Authority
- Certification Authority Web Enrollment
Note: Certificate Authority Web Enrollment and Certificate Enrollment Web Service can’t be installed simultaneously so we will be installing Certificate Enrollment Web Service after configuring AD CS.
16: Select Enterprise CA and click Next.
17: Select Root CA and click Next.
18: Select Create a new private key and click Next.
19: Leave the cryptographic provider and key length to default.
20: Change the hash algorithm to SHA256 and click Next.
21: Change the Common name for this CA (if required) and click Next.
We are keeping it to default.
22: Specify the validity period for the certificate generated for this CA and click Next.
23: Specify the database locations and click Next.
24: Review the configuration and click Configure button.
25: Both the selected roles should be configured within few seconds.
26: Click Close button to close the AD CS Configuration Wizard.
Soon after clicking the Close button for AD CS Configuration Wizard, you should get prompt to configure additional role services.
27: Click Yes button as we need to install the remaining role Certificate Enrollment Web Service.
28: Specify the appropriate credentials as we provided in Step 14 and click Next button.
29: Select Certificate Enrollment Web Service option and click Next.
30: Leave the options to default and click Next.
31: Leave the option to default and click Next.
32: Specify the service account, it must be a member of the IIS_IUSRS group.
33: Click Next.
34: Specify the Server Authentication Certificate and click Next.
35: Click Configure button.
36: AD CS Configuration is done. Click Close button to close the AD CS Configuration Wizard.
Create SCOM Certificate Template
This is the most common scenario wherein the organization has an Enterprise CA however don’t have the SCOM Certificate Template.
So, if you have Enterprise CA and don’t have SCOM Certificate Template, you need to follow these steps.
1: Login on to Enterprise CA Server and open Certificate Authority.
2: Right click Certificate Templates folder and click Manage.
3: Right click IPSec (Offline request) and click Duplicate Template.
4: Leave the Compatibility tab fields to default.
5: Click on General tab and provide your template a suitable name.
6: Adjust the Validity period so it adheres to the security policy of your company.
7: Click on Request Handling tab and put check mark on Allow private key to be exported option.
8: Click on Cryptography tab and set Minimum key size to 1024.
9: Select as Providers Microsoft RSA SChannel Cryptographic Provider and Microsoft Enhanced Cryptographic Provider v 1.0
10: Click on Application Policies and click Edit button.
11: Select the default policy and click Remove button.
12: Click on Add button.
13: Hold the Ctrl key on the keyboard and select below Application policies
- Client Authentication
- Server Authentication
14: Click OK twice.
15: Grant Read and Enroll access to Authenticated Users.
16: Click on Add button and click Object Types.
17: Put check mark on Computers and click OK.
18: Add SCOM Management Server here and click OK.
19: Select the added computer account, grant Read and Enroll permissions.
20: Click Apply and OK to save the changes.
21: Open Certificate Authority and right click Certificate Templates.
22: Click New and select Certificate Template to Issue.
23: Select the SCOM template we created and click OK button.
SCOM template should be visible under Certificate Templates folder now.
Launch the Certificate Server Website (e.g. https://scmvpcd/Certsrv) on SCOM Management server (The computer account which was granted Read and Enroll access while creating the SCOM template).
SCOM template should be visible there.
TIP: Disable the IE Enhanced Security Configuration under Server Manager so the Certificate Server Website can load properly and you get all the options.
SCOM Certificate template is ready and we are good to for discovering Workgroup servers in our SCOM environment.
In my next article, I will show you how to install the certificate using SCOM template and discover Workgroup servers in SCOM.
Hope this helps.