How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA in Operations Manager 2007

Article
05/13/2011

Applies To: Operations Manager 2007 R2, Operations Manager 2007 SP1

The following procedures provide the steps for obtaining a certificate from an enterprise certification authority (CA) by using Certificate Services, which is a feature in Windows 2000 Server and Windows Server 2003. To obtain a certificate in this manner, you must:

Perform the following procedures:

Download the Trusted Root (CA) certificate.
Import the Trusted Root (CA) certificate
Request a certificate from a stand-alone CA.
Approve the pending certificate request. If your Certificate Services has been configured to auto-approve certificates, proceed to the next procedure, which is retrieving the certificate. Otherwise, the CA administrator needs to issue the certificate by using the Retrieve the certificate procedure.
Retrieve the certificate.
Using the MOMCertImport utility, import the certificate into Operations Manager.

To download the Trusted Root (CA) certificate

Log on to the computer where you installed a certificate; for example, the gateway server or management server.
Start Internet Explorer, and connect to the computer hosting Certificate Services; for example, https://<servername>/certsrv.
On the Welcome page, click Download a CA Certificate, certificate chain, or CRL.
On the Download a CA Certificate, Certificate Chain, or CRL page, click Encoding method, click Base 64, and then click Download CA certificate chain.
In the File Download dialog box, click Save, and save the certificate; for example, Trustedca.p7b.
When the download has finished, close Internet Explorer.

To import the Trusted Root (CA) Certificate

On the Windows desktop, click Start, and then click Run.
In the Run dialog box, type mmc, and then click OK.
In the Console1 window, click File, and then click Add/Remove Snap-in.
In the Add/Remove Snap-in dialog box, click Add.
In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.
In the Certificates snap-in dialog box, select Computer account, and then click Next.
In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish.
In the Add Standalone Snap-in dialog box, click Close.
In the Add/Remove Snap-in dialog box, click OK.
In the Console1 window, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.
Right-click Certificates, select All Tasks, and then click Import.
In the Certificate Import Wizard, click Next.
On the File to Import page, click Browse and select the location where you downloaded the CA certificate file, for example, TrustedCA.p7b, select the file, and then click Open.
On the File to Import page, select Place all certificates in the following store and ensure that Trusted Root Certification Authorities appears in the Certificate store box, and then click Next.
On the Completing the Certificate Import Wizard page, click Finish.

To request a certificate from a stand-alone CA

Log on to the computer where you want to install a certificate (for example, the gateway server or management server).
Start Internet Explorer, and then connect to the computer hosting Certificate Services (for example, http://<servername>/certsrv).
On the Microsoft Certificate Services Welcome page, click Request a certificate.
On the Request a Certificate page, click Or, submit an advanced certificate request.
On the Advanced Certificate Request page, click Create and submit a request to this CA.
On the Advanced Certificate Request page, do the following:
1. Under Identifying Information, in the Name field, enter a unique name, for example, the fully qualified domain name (FQDN) of the computer you are requesting the certificate for. For the remaining fields, enter the appropriate information.
  
  Note
  
  Event ID 20052 of type Error is generated if the FQDN entered into the Name field does not match the computer name.
2. Under Type of Certificate Needed:
  
  Click the list, and then select Other.
  
  In the OID field, enter 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
3. Under Key Options, make the following selections:
  
  Click Create a new key set
  
  In the CSP field, select Microsoft Enhanced Cryptographic Provider v1.0
  
  Under Key Usage, select Both
  
  Under Key Size, select 1024
  
  Select Automatic key container name
  
  Select Mark keys as exportable
  
  Clear Export keys to file (not required for Windows Server 2008 AD CS)
  
  Clear Enable strong private key protection
  
  Click Store certificate in the local computer certificate store.
4. Under Additional Options:
  
  Under Request Format, select CMC
  
  In the Hash Algorithm list, select SHA-1
  
  Clear Save request to a file
  
  In the Friendly Name field, enter the FQDN of the computer that you are requesting the certificate for.
5. Click Submit.
6. If a Potential Security Violation dialog box is displayed, click Yes.
7. When a Certificate Pending page displays, close the browser.

To approve the pending certificate request

Log on to the computer hosting Certificate Services as a certification authority administrator.
On the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
In Certification Authority, expand the node for your certification authority name, and then click Pending Requests.
In the results pane, right-click the pending request from the previous procedure, point to All Tasks, and then click Issue.
Click Issued Certificates, and confirm the certificate you just issued is listed.
Close Certification Authority.

To retrieve the certificate

Log on to the computer where you want to install a certificate (for example, the gateway server or management server).
Start Internet Explorer, and connect to the computer hosting Certificate Services (for example, http://<servername>/certsrv).
On the Microsoft Certificate Services Welcome page, click View the status of a pending certificate request.
On the View the Status of a Pending Certificate Request page, click the certificate you requested.
On the Certificate Issued page, click Install this certificate.
In the Potential Scripting Violation dialog box, click Yes.
On the Certificate Installed page, after you see the message that Your new certificate has been successfully installed, close the browser.

To import certificates using MOMCertImport

Log on to the computer with an account that is a member of the Administrators group.
On the Windows desktop, click Start, and then click Run.
In the Run dialog box, type cmd, and then click OK.
At the command prompt, type <drive_letter>: (where <drive_letter> is the drive where the Operations Manager 2007 installation media is located), and then press ENTER.
Type cd\SupportTools\i386, and then press ENTER.

Note

On 64-bit computers, type cd\SupportTools\amd64
Type the following:

MOMCertImport
In the Select Certificate dialog box, select the certificate you retrieved in the previous section, and then click OK.

Note

To help you select the correct certificate if more than one certificate is displayed, select the certificate for which the intended purposes are listed as Server Authentication, Client Authentication and the certificate where the friendly name matches the friendly name you defined above in step 6d in the procedure To request a certificate from a stand-alone CA.
In the command dialog box, the message Successfully installed the certificate. Please check Operations Manager log in event viewer to check channel connectivity will be displayed.