Mutual Authentication for SCOM Part 1: Root CA

Yo-ho-ho,

This is a 3 part series about Mutual Authentication for SCOM.

Mutual Authentication for SCOM Part 2: Certificate Request

Mutual Authentication for SCOM Part 3: Prepare Gateway /DMZ server for Mutual Authentication

To be honest this is a big one for me. It took me days to figure out to figure out what I needed to fill in every field and what is required.

So what do you need?

Let’s start with duplicating the required certificate. Go to your root CA and open a new mmc. Hit on “File” and “Add/Remove Snap-in…” Select “Certificate Templates” and add it to the selected snap-ins

Search for IPSec (offline request), right -click and duplicate it.

Leave “Compatibility” as is

2014-12-17 17_51_06-wsysca000301 - Remote Desktop Connection In “General” give it a name – I had good experience with something like: Company Name – Use of the Certificate – Validity period – Version number

Check “Allow private key to be exported” in “Request Handling” and leave the rest as is.

Set the minimum key size to “2048” and enable “Microsoft RSA SChannel Cryptographic Provider” and “Microsoft Enhanced Cryptographic Provider v.1.0”

There is nothing to change in “Key Attestation”

2014-12-17 18_08_38-wsysca000301 - Remote Desktop Connection and “Superseded Templates”

In “Extensions” edit “Application Policies” remove “IP security IKE intermediate”. Add “Client Authentication” and “Server Authentication”

2014-12-17 18_16_53-wsysca000301 - Remote Desktop Connection Next tab is security. You’ve got to give “Authenticated Users” the right to “Enroll”

and we need to add “Domain Computers” allow on “Read”, “Write” and “Enroll”.

“Subject Name”, “Server” and Issurance Requirements can be left in default state.

Okay. So the template is done. Next step is to Add the “Certification Authority” Snap-in. Go down to “Certificate Templates”, right-click on it and click on “New” “Certificate Template to Issue”.

The certificate template will appear what means that it is available for requests by now. So you’re done at the CA. Next step is to request the certificate on your SCOM server. You will find the guide in Part 2.

*Captain

Submit a comment on “Mutual Authentication for SCOM Part 1: Root CA” Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.