The following few posts are based on my experiences of using SCOM with an internal Certificate Authority on Windows Server 2008. I have broken each post down into separate sets of tasks that need to be completed as you move through the process to make things easier to follow.
Here's a high-level overview of the process:
- Download the Trusted Root (CA) certificate
- Import the Trusted Root (CA) certificate
- Create a certificate template
- Request a certificate from the enterprise CA
- Import the certificate into SCOM
In this first part of the series, I will be focusing on downloading and then importing the Trusted Root Certificate Authority (CA) certificate to the server(s) that you want to use certificate authentication with.
Downloading the Trusted Root (CA) Certificate
Log on to the computer where you want to install a certificate – e.g. RMS, MS, Gateway server or untrusted domain/DMZ server.
Start Internet Explorer, and connect to the Certificate Enrolment URL on the computer hosting Certificate Services; for example, http://<servername>/certsrv
On the Welcome page, click Download a CA Certificate, certificate chain, or CRL.
On the Download a CA Certificate, Certificate Chain, or CRL page, click Encoding method, click Base 64, and then click Download CA certificate chain.
If you are using Windows Server 2008 with Internet Explorer 7 or higher, you will more than likely come across an Active-X error when you get to the next page similar to the one in the screen below
To resolve this issue, open Internet Explorer properties and go to the ‘Security’ tab, then click on ‘Trusted Sites’ and then select the ‘Sites’ button.
Add the - http://<servername>/certsrv - URL to the ‘Trusted Sites’ Websites list and un-tick ‘Require server verification (https:) for all sites in this zone’ – This step can be omitted if your URL is published on https instead of http however.
Back on the ‘Security’ tab with ‘Trusted Sites’ highlighted, ensure you change the security level to ‘Low’ as the diagram below shows
Now you should be able to browse back to the - http://<servername>/certsrv - homepage and then once more, click on the ‘Download a CA certificate, certificate chain, or CRL’ link
If you see an Active-X error and a Web Access Confirmation window like the ones below now, you should be able to click ‘Yes’ to continue on each of them
Now you should be able to select the Encoding method and select the ‘Download CA Certificate’ option from the window that opens as below
In the File Download dialog box, click Save, and save the certificate with a relevant name such as ‘rootcert’ to the C:\ drive of your computer
When the download has finished, close Internet Explorer.
Importing the Trusted Root (CA) Certificate
On the Windows desktop, click Start, and then click Run.
In the Run dialog box, type mmc, and then click OK.
In the Console1 window, click File, and then click Add/Remove Snap-in.
In the Add/Remove Snap-in dialog box, click Add.
In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.
In the Certificates snap-in dialog box, select Computer account, and then click Next.
In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish.
In the Add Standalone Snap-in dialog box, click Close.
In the Add/Remove Snap-in dialog box, click OK.
In the Console1 window, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.
Right-click Certificates, select All Tasks, and then click Import as the screenshot below shows
In the 'Certificate Import Wizard' window, click 'Next'
On the File to Import page, click Browse and select the location where you downloaded the CA certificate file, for example, c:\rootcert.cer, select the file, and then click Open.
On the 'File to Import' page, select Place all certificates in the following store and ensure that Trusted Root Certification Authorities appears in the Certificate store box, and then click Next.
On the 'Completing the Certificate Import Wizard' page, click Finish to complete the process.
At this point you should now have the Trusted Root CA certificate downloaded and installed onto your server and ready to move onto the next step. In Part 2 of this blog series, I will explain how to create a certifcate template within the Windows Server 2008 Certification Authority that can be used by your servers that you want to monitor for nice and simple certificate requests from the CA.