How to Create a Certificate in a Stand-Alone CA for Operations Manager 2007

  • Article

The following procedures provide the steps to obtain a certificate from a stand-alone certification authority (CA) by using Certificate Services, which is a component of Windows 2000 Server and Windows Server 2003. The procedures need to be performed in the following order:

  • Request a certificate from a stand-alone CA.
  • Approve the pending certificate request. If your Certificate Services has been configured to auto-approve certificate, proceed to the procedure to retrieve the certificate. Otherwise, the CA administrator needs to issue the certificate. If you are the CA administrator, issue the certificate by using the procedure in this topic.
  • Retrieve the certificate.
  • Import the certificate into Operations Manager. For more information, see How to Import Certificates in Operations Manager 2007.
  • Import the CA certificate. For more information, see How to Import a CA Certificate for Use with Operations Manager 2007.

To request a certificate from a stand-alone CA

  1. Log on to the computer where you want to install a certificate (for example, gateway server or Management Server).

  2. Start Internet Explorer, and connect to the computer hosting Certificate Services (for example, https://<servername>/certsrv).

  3. On the Microsoft Certificate Services Welcome page, click Request a certificate.

  4. On the Request a Certificate page, click Or, submit an advanced certificate request.

  5. On the Advanced Certificate Request page, click Create and submit a request to this CA.

  6. On the Advanced Certificate Request page, do the following:

    1. Under Identifying Information, in the Name field, enter a unique name, for example the fully qualified domain name (FQDN) of the computer you are requesting the certificate for. For the remaining fields, enter the appropriate information.

      Note

      Event ID 20052 of type Error is generated if the FQDN entered into the Name field does not match the computer name.

    2. Under Type of Certificate Needed, click the list and select Other. In the OID field, enter 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2.

    3. Under Key Options, click Create a new key set; in the CSP field, select Microsoft Enhanced Cryptographic Provider v1.0; under Key Usage, select Both; under Key Size, select 1024; select Automatic key container name; select Mark keys as exportable; clear Export keys to file; clear Enable strong private key protection; and then click Store certificate in the local computer certificate store.

    4. Under Additional Options, under Request Format, select CMC; in the Hash Algorithm list, select SHA-1; clear Save request to a file; and then in the Friendly Name field, enter the fully qualified domain name (FQDN) of the computer that you are requesting the certificate for.

    5. Click Submit.

    6. If a Potential Security Violation dialog box is displayed, click Yes.

    7. After the Certificate Pending page displays, close the browser.

To approve the pending certificate request

  1. Log on to the computer hosting Certificate Services as a Certification Authority Administrator.

  2. On the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.

  3. In Certification Authority, expand the node for your certification authority name, and then click Pending Requests.

  4. In the results pane, right-click the pending request from the previous procedure, point to All Tasks, and then click Issue.

  5. Click Issued Certificates, and confirm the certificate you just issued is listed.

  6. Close Certification Authority.

To retrieve the certificate

  1. Log on to the computer where you want to install a certificate; for example, gateway server or Management Server.

  2. Start Internet Explorer, and then connect to the computer hosting Certificate Services (for example, https://<servername>/certsrv).

  3. On the Microsoft Certificate Services Welcome page, click View the status of a pending certificate request.

  4. On the View the Status of a Pending Certificate Request page, click the certificate you requested.

  5. On the Certificate Issued page, click Install this certificate.

  6. In the Potential Scripting Violation dialog box, click Yes.

  7. On the Certificate Installed page, after you see the message that Your new certificate has been successfully installed, close the browser.

See Also

Tasks

How to Create a Certificate in an Enterprise CA for Operations Manager 2007
How to Import a CA Certificate for Use with Operations Manager 2007
How to Import Certificates in Operations Manager 2007
How to Remove a Certificate that was Imported with the MOMCertImport Tool in Operations Manager 2007

Concepts

Certificates in Operations Manager 2007
Mutual Authentication in Operations Manager 2007

Other Resources

About Security in Operations Manager 2007
Security Considerations in Operations Manager 2007

Did you find this information useful? Please send your suggestions and comments about the documentation.