locked
SCE Server certificate and private key RRS feed

  • Question

  • Hello all,

    when configuring a SCE server for Service Provider Mode, I need a computer certificate of the SCE server that contains the private key. But the customer CA runs on a Windows Small Business Server 2003, which cannot issue version 2 certificates, and the templates the CA can issue either don't allow me to export the private key or don't support Client and Server authentication. I'm quite sure anyone has run into this issue before and can give me a hint what kind of certificate I could use.

    Thanks in advance,

    Dirk 

    Thursday, March 20, 2008 8:05 AM

Answers

All replies

  • Nevermind, I just issued a certificate from our enterprise CA and imorted it into the SCE server. Now I get an error in the evnetlog:

     

    Ereignistyp: Fehler
    Ereignisquelle: OpsMgr Connector
    Ereigniskategorie: Keine
    Ereigniskennung: 21036
    Datum:  20.03.2008
    Zeit:  14:32:34
    Benutzer:  Nicht zutreffend
    Computer: SRVSBS
    Beschreibung:
    The certificate specified in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings cannot be used for authentication.  The error is The credentials supplied to the package were not recognized.
    (0x8009030D).

    Weitere Informationen über die Hilfe- und Supportdienste erhalten Sie unter http://go.microsoft.com/fwlink/events.asp.
     

    In the Service Provider Tool I doublechecked the credentials for the private key, I imported our CA certificate into the trusted root CA store on the SCE server. I'm just not quite sure what public certificate I have to use in the Service Provider Tool, I used the one from the CA that issued the private certificate.

    Thanks for your help,

    Dirk

    Thursday, March 20, 2008 1:41 PM
  • Hi Dirk,

     

    A certificate is needed for each Essentials 20007 server and each Operations Manager Management Server that Essentials 2007 will communicate with in Remote Operations Manager scenario.

     

    The certificate must meet the following requirements (The default Windows Certificate Services ‘Computer’ Certificate template meets these requirements):

     

    Exist in the “Personal\Certificates” store (Also called the ‘MY’ store) for the computer account.

     

    Key Usage : Digital Signature, Key Encipherment (a0)

     

    Enhanced Key Usage: Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1)

     

    The subject name of the certificate must contain the FQDN of the server for which the certificate will be installed

     

     

    The certificate of the root certificate authority that issued these certificates needs to be imported into the Trusted Root Certification Authorities store on both the Operations Manager Management Server and the Essentials server. If there are any intermediate or issuing certificate authorities between the root certificate authority and the certificate, their certificates must be imported into the Intermediate Certification Authorities.

     

    These certificates can be issued by an internet-based certificate authority or Certificate Services from a Windows server. For more information on using Certificate Services, see:

     

    Certificate Services
    http://technet2.microsoft.com/WindowsServer/en/library/d01a80dd-479a-444b-8893-68c40d61dd9c1033.mspx?mfr=true

     

     

    The “Obtaining Certificates” section provides step-by-step instructions for:


    1. Setting up a Certificate Server


    2. Issuing the necessary certificates to the OpsMgr and Essentials servers


    3. Exporting the OpsMgr server certificate and private key to a .pfx file that the MOMCertImport.exe tool will use to configure the OpsMgr server


    4. Exporting the Essentials server certificate and private key (.pfx file) and trusted root certificate (.cer file) that will be used by the Service Provider configuration tool

     

     

    Thanks.

    Monday, March 24, 2008 7:12 AM
  • Hello,

    following situation:

     

    I got SCE installed on a customer's SBS 2003 server. The CA that is installed on that SBS server can't issue certificates that meet both the requirements of client and server authentication AND allowing the export of the private key of the certificate. So I let our own CA issue a certificate for that SBS server and imported that certificate into the certificate store of the computer account. I also imported that CA certificate into the Trusted Root Certification Authorities store on the SBS server. Then I used the Service Provider Tool to connect the SCE server to our SCOM. And now I got following error message on the SBS server:

     

    Ereignistyp: Error
    Ereignisquelle: OpsMgr Connector
    Ereigniskategorie: None
    Ereigniskennung: 21036
    Datum:  20.03.2008
    Zeit:  14:32:34
    Benutzer:  Nicht zutreffend
    Computer: SRVSBS
    Description:
    The certificate specified in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings cannot be used for authentication.  The error is The credentials supplied to the package were not recognized.
    (0x8009030D).

    Weitere Informationen über die Hilfe- und Supportdienste erhalten Sie unter http://go.microsoft.com/fwlink/events.asp.

     

    What could be the source of this error?
    Monday, March 24, 2008 5:27 PM
  • Hi,

     

    This is the certificates error.  Have you install the root certificates in the Trusted Root Certification Authority? 

     

    You can use the Certutil tool to verify what is the exact problem.

     

    Certutil tasks for troubleshooting certificates

    http://technet2.microsoft.com/windowsserver/en/library/a3d5dbb9-1bf6-42da-a13b-2b220b11b6fe1033.mspx?mfr=true

     

    Hope it helps.

     

    Tuesday, March 25, 2008 11:35 AM
  • Finally it works. I simply redid all steps, starting with the issueing of the certifcate. I got no clue why it wouldn't work on my first try since I didn't do anything different now (at least I think so)

    Thanks for your help.

    Monday, March 31, 2008 9:10 AM
  • I struggled with the certificate errors working for sometime until I realized that the "MOMCertImport /SubjectName <Certificate Subject Name> " command does not work properly on my Windows Server 2008 environment (refer to the "To import certificates using MOMCertImport" steps in the "http://technet.microsoft.com/en-us/library/bb735417.aspx" document).   The momcertimport.exe would put the certificate serial number into the correct registry location (reversed as expected) - refer to "http://technet.microsoft.com/en-us/library/bb735418.aspx" for registry location.  However, despite everything appearing to work, I would get this error:

    The certificate specified in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings cannot be used for authentication. The error is The credentials supplied to the package were not recognized (0x8009030D).

    The fix:

    1)    Once you have a certificate imported into the certificate store:

    i)     From the MMC “Certificates (Local Computer)” snap-in, locate the certificate (server FQDN name) in the Personal-Certificates folder, right click it, and select “Export”.

    ii)    When prompted to “Export Private Key”, select “Yes, export the private key”.

    iii)   Under “Export File Format”, select “Personal Information Exchange – PKCS #12 (.pfx)” and sub-option “Export all extended properties”.

    iv)   Take note of the location and file name of the pfx file you saved and password if you entered one.

    2)    From an Administrator mode command prompt, enter:

    MOMCertimport.exe filename.pfx

    - enter password if you entered one for the pfx file

                (where filename.pfx is the exported certificate from above)

     

    To verify that the certificate is working with the agent:

    An “OpsMgr Connect” 20053 event should be generated in the Operations Manager event log, after the health service is started indicating the certificate was loaded successfully.

    Event Type: Information
    Event Source:     OpsMgr Connector
    Event Category:   None
    Event ID:   20053
    User:             N/A
    Computer:   GW1
    Description:
    The OpsMgr Connector has loaded the specified authentication certificate successfully.

    After a a bit of a delay, the agent should show up on the OpsMgr console Administration - Pending Mananagement list where you must "Approve" it.

     

    • Proposed as answer by MBenoit Thursday, January 29, 2009 9:24 PM
    Thursday, January 29, 2009 9:17 PM