Wednesday, August 31, 2011

Using Internal Certificates with SCOM on Windows Server 2008 Part 2

In Part 1 of this series, I explained how to download and import the Trusted Root Certificate Authority root certificate onto the server that you want to use internal PKI authentication with from within your SCOM environment.

In this part of the series, I will detail how to create a certificate template within your Windows Server 2008 Certificate Authority which will make it very easy later on to create a certificate request from your SCOM RMS, MS, Gateway or untrusted domain/DMZ servers.

Creating the SCOM Certificate Template

On the computer that is hosting your enterprise CA, from the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
In the navigation pane, expand the CA name, right-click Certificate Templates, and then click ‘Manage’ to open the ‘Certificate Templates Console’

From the Certificate Templates console, in the results pane, right-click IPSec (Offline request), and then click 'Duplicate Template'

Select either ‘Windows Server 2003’ or ‘Windows Server 2008’ as the minimum supported CA type from the window that opens below

In the 'Properties of New Template' dialog box, on the General tab, in the Template display name text box, type a new name for this template (for example, ‘SCOM Template’) and also set the validity and renewal periods for the certificate here too

On the 'Request Handling' tab, set the ‘Minimum Key Size’ and select the ‘Allow private key to be exported’ check box

Now click on the ‘CSPs’ box to open the ‘CSP Selection’ window. In the CSP Selection window, select the cryptographic service provider that falls into line with your business policies (or just leave the default settings here if you wish)

Back at the ‘Properties of New Template’ window, click the Extensions tab, and in Extensions included in this template, click Application Policies, and then click Edit

In the ‘Edit Application Policies Extension’ dialog box, click ‘IP security IKE intermediate’, and then click Remove

Click Add, and in the Application policies list, hold down the CTRL key to multi-select items from the list, click Client Authentication and Server Authentication, and then click OK

In the Edit Application Policies Extension dialog box, click OK

Click the Security tab, ensure that the Authenticated Users group has Read and Enroll permissions, and then click OK to complete

We now must add the 'Computer' object for the Certificate Authority to have 'Read and Enroll' permissions within the Security tab. This is an additional step that is necessary when using a Windows Server 2008 R2 Certificate Authority due to additonal security requirements.

To add the 'Computer' object, you need to select the 'Add' button from the screen above and then click on the 'Object Types' button from the next screen that pops up. This will open the 'Object Types' window from which you will select the box beside 'Computers' as in the screen below and then click on 'OK'

In the 'Select Users, Computers, Service Accounts or Groups' window, type the name of your Certificate Authority server (in my case it's 'DC-SRV') and then click 'OK'

This should now list your Certificate Authority computer in the 'Security' tab of the SCOM Template properties. You now need to click on the computer name and then select the 'Read' and 'Enroll' permissions as in the screen below

Once you have selected the correct permissions for the 'Authenticated Users' and Certificate Authority 'Computer' accounts, you can click 'OK' to close the SCOM Template properties window

Adding the SCOM Template to the Certificate Templates folder

Once we have created the SCOM Template and configured the correct permissions, we now need to add that template into the Certificate Authority 'Templates' folder for it to be viewable as a template by clients.

Open the Certification Authority snap-in from the 'Administrative Tools' menu on the Certificate Authority server. Within the Certification Authority snap-in, right-click the 'Certificate Templates' folder, point to New, and then click Certification Template to Issue as below

In the Enable Certificate Templates box, select the certificate template that you created, and then click OK

This will now enable the new ‘SCOM Template’ certificate template that you created previously and allow it to be used when requesting future certificates for SCOM through the Certificate Authority Web Browser enrolment tool.

That concludes part 2 of this blog series. In Part 3, I will explain how to request a SCOM certificate from the Certification Authority using the newly created SCOM Template and then how to import that certificate into the 'Local Computer - Certificate' store on the requesting server.

No comments:

Post a Comment