none
how to install cert on dmz server for scom agent install?

    Question

  • HI We have some servers in Dmz or other domains not trusted possible to do and http port not open, we need install certificate issued on SCOM(CA server) on it in order to install SCOM agent on it, is it possible to import some other way instead of  going to http://caServer/certsvr to download? because http/https port not open to access the CA server. Any url or document?Thanks!

    Monday, April 19, 2010 9:17 AM

Answers

  • Hi

    I have given a step by step walkthrough of a windows 2008 Stand-alone CA here. It will take some time to download as the graphics need tuning but it fits in with the documention steps above. The one Alex suggests also covers this. If the agent can't directly access the certificate server then you'll need to add a few steps (which I have tried to highlight in bold below).

    The high-level process to obtain a certificate from a stand-alone certification authority (CA) is as follows:

    1. Download the Trusted Root (CA) certificate – do this from a machine that has access to the certificate server and then copy to the workgroup machine.

    2. Import the Trusted Root (CA) certificate to the workgroup machine.

    -------

    3. Create a setup information file to use with the CertReq command-line utility – do this on the workgroup machine.

    4. Create a request file – do this on the workgroup machine and then copy file to a server that has access to the certificate server

    5. Submit a request to the CA using the request file from a server that has access to the certificate server

    6. Approve the pending certificate request – from the certificate server

    7. Retrieve the certificate from the CA – from a machine that has access to the certificate server and then copy certificate to workgroup computer

    8. Import the certificate into the certificate store on the workgrou computer

    9. Import the certificate into Operations Manager using MOMCertImport – on workgroup computer.

    10. And then install the agent and approve install from opsmgr console

    Cheers

    Graham


    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    • Marked as answer by kongfupanda Tuesday, April 20, 2010 4:41 PM
    Tuesday, April 20, 2010 4:34 PM

All replies

  • Monday, April 19, 2010 9:36 AM
  • A workaround can be to create the certificate from your workstation (for DMZ server and with Subjectname of DMZ server) and once it is installed in your workstation, you can export it with private key, tranfer it to DMZ server and the import there.

    You will find the certificate in the personal store of your computer account after it is installed and that is the location where you will import it on the DMZ server.

    It worked for me.

    -V

    Monday, April 19, 2010 9:40 AM
  • Thanks!
    Now we got this error on this server. we run cerreq - accept , it complains no object or property found. Any idea?Thanks
     
    C:\Documents and Settings\Administrator\My Documents>certreq -Accept certnew_org
    esfinsvr.cer

    Certificate Request Processor: Cannot find object or property. 0x80092004 (-2146

    885628)


    C:\Documents and Settings\Administrator\My Documents>certreq

    ConfigGetConfig returned 0x80070103 (WIN32/HTTP: 259)

    Certificate Request Processor: No Certification Authorities available

    No more data is available. 0x80070103 (WIN32/HTTP: 259)

    Monday, April 19, 2010 4:39 PM
  • Hi We are deploying agent to dmz server for scom while got some issue with certificate, any advice please? Thanks

     we got this error on this server. we run cerreq - accept , it complains no object or property found. Any idea?Thanks
     
    C:\Documents and Settings\Administrator\My Documents>certreq -Accept certnew_iaa esfinsvr.cer
    Certificate Request Processor: Cannot find object or property. 0x80092004 (-2146

    885628)


    C:\Documents and Settings\Administrator\My Documents>certreq

    ConfigGetConfig returned 0x80070103 (WIN32/HTTP: 259)

    Certificate Request Processor: No Certification Authorities available

    No more data is available. 0x80070103 (WIN32/HTTP: 259)

    • Merged by Vivian Xing Wednesday, April 21, 2010 8:09 AM dup
    Monday, April 19, 2010 4:40 PM
  • Hi

    Here is a document for configuring certificates when the agent doesn't have direct access to the certitifacte server. I have followed this literally hundreds of times and it does work:

    http://systemcentersolutions.wordpress.com/category/certificates/

    But ... which operating system is the CA on? Windows 2003 or Windows 2008?

    Also ... is this a stand-alone certificate server to an enterprise CA?

    Cheers

    Graham


    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    Tuesday, April 20, 2010 8:04 AM
  • Hi

    Please see my response on your other thread - if the agent can't access the CA then you'll need to add in a few steps to the official documentation:

    http://systemcentersolutions.wordpress.com/category/certificates/

    Cheers

    Graham


    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    Tuesday, April 20, 2010 8:05 AM
  • Hi,

    and another one doc: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5


    http://OpsMgr.ru/
    Tuesday, April 20, 2010 9:50 AM
  • it's win2008, standalone
    Tuesday, April 20, 2010 4:18 PM
  • Hi

    I have given a step by step walkthrough of a windows 2008 Stand-alone CA here. It will take some time to download as the graphics need tuning but it fits in with the documention steps above. The one Alex suggests also covers this. If the agent can't directly access the certificate server then you'll need to add a few steps (which I have tried to highlight in bold below).

    The high-level process to obtain a certificate from a stand-alone certification authority (CA) is as follows:

    1. Download the Trusted Root (CA) certificate – do this from a machine that has access to the certificate server and then copy to the workgroup machine.

    2. Import the Trusted Root (CA) certificate to the workgroup machine.

    -------

    3. Create a setup information file to use with the CertReq command-line utility – do this on the workgroup machine.

    4. Create a request file – do this on the workgroup machine and then copy file to a server that has access to the certificate server

    5. Submit a request to the CA using the request file from a server that has access to the certificate server

    6. Approve the pending certificate request – from the certificate server

    7. Retrieve the certificate from the CA – from a machine that has access to the certificate server and then copy certificate to workgroup computer

    8. Import the certificate into the certificate store on the workgrou computer

    9. Import the certificate into Operations Manager using MOMCertImport – on workgroup computer.

    10. And then install the agent and approve install from opsmgr console

    Cheers

    Graham


    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    • Marked as answer by kongfupanda Tuesday, April 20, 2010 4:41 PM
    Tuesday, April 20, 2010 4:34 PM
  • Thanks, I followed the steps to installed certs and imported on the monitored server without error. but I still cannot see pending server to approve on the scom console. from event viewer, can I see error below:

    the opsmgr connector connected to  mserver1(monitored server in workgroup), but the connection was closed immediately after authentication occured. the mostlikly cause of this error is that the agent is not authorised to communicate with the server, or the server has not recieved configuration. event id 20070. I did restart the service on both server and waited more than 1 hour.Any advice?
    Thanks

    Wednesday, April 21, 2010 6:58 AM
  • Hi

    When you start the agent, do you get any events in the operationsmanager eventlog on the agent? Especially relating to the certificate not being valid? These might well be informational alerts so if you stop the agent, clear the log, then start the agent and then go through the events one by one to see if there is a successful loading of the certificate.

    If all looks good on the agent then do the same with the Management Server to see if it is a problem at that end with the certificate.

    Cheers

    Graham


    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    Wednesday, April 21, 2010 7:06 AM
  • Thanks for advice! I reinstalled the agent and did momcertimport and now all ok. Thanks again!
    Wednesday, April 21, 2010 8:12 AM