Part 2. – Monitor Untrusted Agents with SCOM 2012: Configure a certificate template for SCOM

Part 2. – Monitor Untrusted Agents with SCOM 2012: Configure a certificate template for SCOM

The following posts are based on how to monitor SCOM clients which are not member of the Kerberos domain. To monitor these “non-domain member” servers it requires some steps. This is the second of my series about monitoring.

The description which is provided ‘from the ground up’. If you have already steps installed you can skip and go to the next section.

This section explains how to make a SCOM certificate template in Windows 2012 Server.

In this series of posts we cover the following steps:
Part 1. – Monitor Untrusted Agents with SCOM 2012: Install the Enterprise CA on Windows 2012
Part 2. – Monitor Untrusted Agents with SCOM 2012: Configure a certificate template for SCOM

Part 3. – Monitor Untrusted Agents with SCOM 2012: Rollout a certificate to a untrusted server

Part 4. – Monitor Untrusted Agents with SCOM 2012: Implementation of a gateway server

1. To Configure the SCOM Certificate Template
In my Lab I installed the Root CA on the Domain Controller
-1. Open Server Manager, click Tools, click Certificate Authority

-2. Select the Enterprise CA, right click Certificate Templates, Right click Manage,
-3. Console click with right click on IPSec (Offline request) and select Duplicate Template
4. Leave the default to Windows Server 2003 and Windows XP/ Server 2003. This way we are always backwards compatible

-5. Go to the General tab and type a logical Template Display name and Template Name (we used OpsMgr Certificate and OpsMgrCertificate) and we changed the validity period to 5 years

-6. Go to the tab Request Handling.   Checkmark the option Allow private key to be exported

7. Go to Cryptography and choose the minimum key size we selected 2048. This is sufficient and takes less cpu time to process. Further check the Microsoft Enhanced Cryptographic Provider v1.0 button.


8. Go to the tab Extensions. Select the option Applications Policies and click Edit. Remove IP security IKE intermediate and add the following policies: Client Authentication and Server Authentication and click OK

9. Go to the tab Security. Authenticated Users need to have Read access. Click Apply and OK, the template is now created.

10. Click Apply and OK, the template is now created.

Now that we have created the template it’s time to make it available

-11. Open Server Manager, click Tools, click Certificate Authority, Right click Certificate Templates, New, Certificate Template to Issue

-12. Choose the OpsMgr Certificate, and click OK

After these steps the OpsMgr Certificate template is displayed in the certificate templates.
Part 3. – Monitor Untrusted Agents with SCOM 2012: Rollout a certificate to a untrusted server