Mutual Authentication for SCOM Part 2: Certificate Request


this is part 2 of a series about Mutual Authentication for SCOM.

Mutual Authentication for SCOM Part 1: Root CA

Mutual Authentication for SCOM Part 2: Certificate Request

Mutual Authentication for SCOM Part 3: Prepare Gateway /DMZ server for Mutual Authentication

In my previous post I wrote about what to set up on Root CA. This post is about the certification request on Operations Manager Management Server.

Start mmc and add snap- in for certificates for computer account.

2014-12-17 19_09_07-wwscom000326 - Remote Desktop Connection

“Request New Certificate”2014-12-17 19_10_07-wwscom000326 - Remote Desktop ConnectionSelect your recently created certificate template and hit on “More information is required to enroll for this certificate. Click here to configure”

2014-12-17 19_13_15-wwscom000326 - Remote Desktop ConnectionYou should fill out “Common name” and “DNS” and I recommend to attach more information like Locality or Country.

2015-01-05 09_39_31-# Remotedesktopverbindung
I also recommend to fill in the FQDN in “General” “Firendly name”

2014-12-17 19_22_45-wwscom000326 - Remote Desktop ConnectionIn “Extensions” / “Key Usage” make sure that the “Selected options” are “Digital signature” and “Key encipherment” and in “Extend Key Usage (application policies)” “Server Authentication” and “Client Authentication” are checked in.

2014-12-17 19_32_47-wwscom000326 - Remote Desktop Connection

2014-12-17 19_33_34-wwscom000326 - Remote Desktop ConnectionEverything else in Extensions can be left as is.

In “Pricate Key” / “Cryptographic Service Provider” have a look at “Microsoft RSA SChannel Cryptographic Provider (Encryption)” and “Microsoft Enhanced Cryptographic Provider v1.0 (Encryption)” are enabled.

2014-12-17 19_36_49-wwscom000326 - Remote Desktop ConnectionAs well as “Key size” is “2048”, “Make private key exportable” are set.

2014-12-17 19_38_44-wwscom000326 - Remote Desktop ConnectionTake care that your CA is deposited

2014-12-17 19_40_16-wwscom000326 - Remote Desktop ConnectionLeave “Signature” as is and “Enroll” the certificate…2014-12-17 19_42_05-wwscom000326 - Remote Desktop Connection

To make sure the request went fine – double click on the certificate and have a look at certification path. If everything is okay it will look like this or even close…

2014-12-17 19_44_17-wwscom000326 - Remote Desktop ConnectionAs a final step you need to import the certificate with “MOMCertImport.exe” and make it available for Operations Manager.

You can find “MOMCertImport.exe”on the ISO File at “\SupportTools\AMD64”

2014-12-17 19_50_34-wwscom000326 - Remote Desktop ConnectionSelect the Certificate and hit on “OK”


Now you need to request the exactly same certificate with the difference to request it for the gateway or DMZ server. So all you’ve got to do is to switch the hostname within the re


In the next part I’ll tell you how to make your gateway or DMZ server ready for mutual authentication.



Submit a comment on “Mutual Authentication for SCOM Part 2: Certificate Request”

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© 2017 IT-Pirate