How to Obtain a Certificate Using Windows Server 2003 Enterprise CA in Operations Manager 2007

Article
05/13/2011

Applies To: Operations Manager 2007 R2, Operations Manager 2007 SP1

The following procedures provide the steps for obtaining a certificate from an enterprise certification authority (CA) by using Certificate Services, which is a feature in Windows 2000 Server and Windows Server 2003. To obtain a certificate in this manner, you must do the following:

Download the Trusted Root (CA) certificate.
Import the Trusted Root (CA) certificate.
Create a certificate template.
Request a certificate from the enterprise CA.
Import the certificate into Operations Manager.

To download the Trusted Root (CA) certificate

Log on to the computer where you installed a certificate; for example, the gateway server or management server.
Start Internet Explorer, and connect to the computer hosting Certificate Services; for example, https://<servername>/certsrv.
On the Welcome page, click Download a CA Certificate, certificate chain, or CRL.
On the Download a CA Certificate, Certificate Chain, or CRL page, click Encoding method, click Base 64, and then click Download CA certificate chain.
In the File Download dialog box, click Save, and save the certificate; for example Trustedca.p7b.
When the download has finished, close Internet Explorer.

To import the Trusted Root (CA) Certificate

On the Windows desktop, click Start, and then click Run.
In the Run dialog box, type mmc, and then click OK.
In the Console1 window, click File, and then click Add/Remove Snap-in.
In the Add/Remove Snap-in dialog box, click Add.
In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.
In the Certificates snap-in dialog box, select Computer account, and then click Next.
In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish.
In the Add Standalone Snap-in dialog box, click Close.
In the Add/Remove Snap-in dialog box, click OK.
In the Console1 window, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.
Right-click Certificates, select All Tasks, and then click Import.
In the Certificate Import Wizard, click Next.
On the File to Import page, click Browse and select the location where you downloaded the CA certificate file, for example, TrustedCA.p7b, select the file, and then click Open.
On the File to Import page, select Place all certificates in the following store and ensure that Trusted Root Certification Authorities appears in the Certificate store box, and then click Next.
On the Completing the Certificate Import Wizard page, click Finish.

To create a certificate template

On the computer that is hosting your enterprise CA, on the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
In the navigation pane, expand the CA name, right-click Certificate Templates, and then click Manage.
In the Certificate Templates console, in the results pane, right-click IPSec (Offline request), and then click Duplicate Template.
In the Properties of New Template dialog box, on the General tab, in the Template display name text box, type a new name for this template (for example, OperationsManagerCert).
On the Request Handling tab, select Allow private key to be exported, and then click CSPs.
In the CSP Selection dialog box, select the cryptographic service provider that best suits your business needs, and then click OK.

Note

Windows 2000 Server will work with Microsoft Enhanced Cryptographic Provider 1.0. Windows Server 2003 and Windows XP will work with Microsoft RSA SChannel Cryptographic Provider.
Click the Extensions tab, and in Extensions included in this template, click Application Policies, and then click Edit.
In the Edit Application Policies Extension dialog box, click IP security IKE intermediate, and then click Remove.
Click Add, and in the Application policies list, hold down the CTRL key to multi-select items from the list, click Client Authentication and Server Authentication, and then click OK.
In the Edit Application Policies Extension dialog box, click OK.
Click the Security tab, ensure that the Authenticated Users group has Read and Enroll permissions, and then click OK.

To add the template to the Certificate Templates folder

Within the Certification Authority snap-in, right-click the Certificate Templates folder, point to New, and then click Certification Template to Issue.
In the Enable Certificate Templates box, select the certificate template that you created, and then click OK.

To request a certificate from an enterprise CA

Log on to the computer where you want to install a certificate (for example, gateway server or management server).
Start Internet Explorer, and connect to the computer hosting Certificate Services (for example, http://<servername>/certsrv).
On the Microsoft Certificate Services Welcome page, click Request a certificate.
On the Request a Certificate page, click Or, submit an advanced certificate request.
On the Advanced Certificate Request page, click Create and submit a request to this CA.
On the Advanced Certificate Request page, do the following:
1. Under Certificate Template, select the name of the template you created (for example, OperationsManagerCert).
2. Under Identifying Information For Offline Template, in the Name field, enter a unique name; for example, the fully qualified domain name (FQDN) of the computer you are requesting the certificate for. For the rest of the fields, enter the appropriate information.
  
  Note
  
  Event ID 20052 of type Error is generated if the FQDN entered into the Name field does not match the computer name.
3. Under Key Options, click Create a new key set; in the CSP field, select the cryptographic service provider that bests suits your business needs; under Key Size, select a key size that bests suits your business needs; select Automatic key container name; ensure that Mark keys as exportable is selected; clear Export keys to file; clear Enable strong private key protection; and then click Store certificate in the local computer certificate store.
  
  Note
  
  Windows 2000 Server will work with Microsoft Enhanced Cryptographic Provider 1.0. Windows Server 2003 and Windows XP will work with Microsoft RSA SChannel Cryptographic Provider.
4. Under Additional Options, under Request Format, select CMC; in the Hash Algorithm list, select SHA-1; clear Save request to a file; and then in the Friendly Name field, enter the FQDN of the computer that you are requesting the certificate for.
5. Click Submit.
6. If a Potential Scripting Violation message is displayed, click Yes.
7. On the Certificate Issued page, click Install this certificate.
8. If a Potential Scripting Violation dialog box is displayed, click Yes.
9. On the Certificate Installed page, when you see the message that Your new certificate has been successfully installed, close the browser.

To import certificates using MOMCertImport

Log on to the computer with an account that is a member of the Administrators group.
On the Windows desktop, click Start, and then click Run.
In the Run dialog box, type cmd and then click OK.
At the command prompt, type <drive_letter>: (where <drive_letter> is the drive where the Operations Manager 2007 installation media is located), and then press ENTER.
Type cd\SupportTools\i386 and then press ENTER.

Note

On 64-bit computers, type cd\SupportTools\amd64
Type the following:

MOMCertImport /SubjectName <Certificate Subject Name>
Press ENTER.