none
Expiration of certificate of scom 2007 r2 RRS feed

  • Question

  • Hi,

    Thank you for your help.
    Someone please tell me.

    I'm trying setup SCOM R2 Agent on a computer in Workgroup.
    SCOM 2007 R2 server is installed inside a domain and I want to monitor server in a workgroup outside a domain.
    The computer on which the agent will be installed is Windows XP.
    I don't use SCOM Gateway server.

    I used to MOMCERTIMPORT.EXE, we imported the certificate in Operations Manager.
    But it has only one year expiration date.
    I want to expire in 10 years.
    I have changed the expiration date of the certificate in the next step.
    But I was the same result.

    http://support.microsoft.com/kb/254632

    Please tell me how to change the expiration date of the certificate to me someone Operations Manager.

    Thank you.


    • Edited by ty0522 Friday, December 30, 2011 1:45 AM
    Friday, December 30, 2011 1:42 AM

Answers

  • Like I said. Default any certificate you generate is for 1 year. Using a registry key somewhere you can change this to a 3 year validity period. Or you can create a template for scom certificates and give it a validity of more than 1 year (if this is 2 or 3 or 4 or 5 is up to you). Once this is changed or set, you can create a new certificate for this machine and load it on that machine. And import that one.

    By the way, now I look closer at your screenshot... Your cert for scom is already 3 years validity.
    The one in the second screenshot is just a self-generated certificate from the machine itself, which got generated at installation of scom. You can ignore it.
    Just make sure that you have run momcertimport.exe one time and selected the certificate you want to use. Than you are safe.
    SO thanks for posting the screenshot, this makes answering a lot easier.


    Bob Cornelissen - BICTT (My Blog about SCOM) - Microsoft Community Contributor 2011 Recipient
    • Marked as answer by ty0522 Thursday, January 5, 2012 12:19 AM
    Wednesday, January 4, 2012 6:51 AM
    Moderator
  • Do not worry. It's a self-signed certificate that was created by OpsMgr. This certificate has nothing to do with a workgroup computers. You can find the certificate you imported using a MOMCertImport tool in a Personal store: Start -> Run -> mmc.exe -> add snap-in -> Certificates -> select 'computer account' -> select 'local computer'. Check the store that shown at your first screen shot (Personal).

     


    http://OpsMgr.ru/
    • Marked as answer by ty0522 Thursday, January 5, 2012 12:19 AM
    Wednesday, January 4, 2012 6:55 AM
    Moderator

All replies

  • Hi,

    It's not an OpsMgr question. From your explanation I could guess that your CA's certificate has a one year expiration date. A CA cannot issue a certificate with a longer validity period than its own CA certificate.

    Check this out: http://technet.microsoft.com/en-us/library/cc740209(WS.10).aspx


    http://OpsMgr.ru/
    Monday, January 2, 2012 7:04 AM
    Moderator
  • If you setup a default windows based CA than your default certificate validity is 1 year. There is a way to make the default 3 years (only thing I know is that iit was difficult to find the KB article, dont have the link at hand). It was a registry setting on the CA box. Also as Alexey says, also check the validity of the CA root ca certificate validity. This can be 5 years or 10 or more.. As long as the certificate you issue is within the validity period of the CA root chain cert. It does not matter what the certificate is for, the certificate doesnt know you are using it for SCOM.
    Bob Cornelissen - BICTT (My Blog about SCOM) - Microsoft Community Contributor 2011 Recipient
    Monday, January 2, 2012 5:24 PM
    Moderator
  • Thanks for the reply.

    Please check will be.
    I want to change the expiration date of the certificate Operations Manager.
    I have 10 years when the building is set to the root CA.
    Then, change the registry has been changed to the default of one to ten years expire certificates issued by the CA.
    I have used the 10-year certificates and MOMCERTIMPORT.EXE expiration.
    But that is one year expiration date and the expiration date of the certificate to verify the Operations Manager from MMC.

    I do not have to update your environment to create a certificate for 10 years.

    I understand that late, sorry.

    Thank you.


    • Edited by ty0522 Tuesday, January 3, 2012 10:06 AM
    Tuesday, January 3, 2012 10:04 AM
  • Hi. I am sorry but it is hard to follow what you are writing here.

    Are you saying the CA itself has a 10 year period and it is not that old yet, so we are safe in asking for a certificate of a few years validity?
    Also if you have set the reg key for normal certs to have a validity of more than 1 year (for instance 3 years would be normal in this case) than you would be able to request a new certificate and it would be valid for 3 years in the certificates mmc. Please check this. DO not make the scom certificates valid for 10 years, simply because this might be longer than validity of the CA root cert again. Take 3 years for example.
    If the certificates mmc on the client shows your cert is valid for 3 years you can use the momcertimport to import that one.
    In most cases 1 or 2 or 3 years will do fine., Although it does happen that 1 year is a bit short.


    Bob Cornelissen - BICTT (My Blog about SCOM) - Microsoft Community Contributor 2011 Recipient
    Tuesday, January 3, 2012 10:11 AM
    Moderator
  • Hi.

    Thanks for the reply.

    I'm sorry. I do not understand yet.

    I MOMCERTIMPORT.EXE using certificates and with the expiration of three years.
    However, the Operations Manager certificates expire one year now.
    # CA certificate expiration date is 10 years.

    Operations Manager certificates can not expire more than a year to What's the impossible.

    Thank you.

    I've attached a picture of the actual reference.
    I want more than one year the expiration of Operations Manager Cert.

    ■Cert

     

    ■Operations Manager Cert

     



    • Edited by ty0522 Wednesday, January 4, 2012 10:29 AM
    Wednesday, January 4, 2012 2:18 AM
  • Like I said. Default any certificate you generate is for 1 year. Using a registry key somewhere you can change this to a 3 year validity period. Or you can create a template for scom certificates and give it a validity of more than 1 year (if this is 2 or 3 or 4 or 5 is up to you). Once this is changed or set, you can create a new certificate for this machine and load it on that machine. And import that one.

    By the way, now I look closer at your screenshot... Your cert for scom is already 3 years validity.
    The one in the second screenshot is just a self-generated certificate from the machine itself, which got generated at installation of scom. You can ignore it.
    Just make sure that you have run momcertimport.exe one time and selected the certificate you want to use. Than you are safe.
    SO thanks for posting the screenshot, this makes answering a lot easier.


    Bob Cornelissen - BICTT (My Blog about SCOM) - Microsoft Community Contributor 2011 Recipient
    • Marked as answer by ty0522 Thursday, January 5, 2012 12:19 AM
    Wednesday, January 4, 2012 6:51 AM
    Moderator
  • Do not worry. It's a self-signed certificate that was created by OpsMgr. This certificate has nothing to do with a workgroup computers. You can find the certificate you imported using a MOMCertImport tool in a Personal store: Start -> Run -> mmc.exe -> add snap-in -> Certificates -> select 'computer account' -> select 'local computer'. Check the store that shown at your first screen shot (Personal).

     


    http://OpsMgr.ru/
    • Marked as answer by ty0522 Thursday, January 5, 2012 12:19 AM
    Wednesday, January 4, 2012 6:55 AM
    Moderator
  • Hi.

    Thanks for the reply.

    SCOM certificate expiration is the value that appears in the first screenshot.
    I was able to understand the expiration date of the certificate finally SCOM.

    Mr. Bob, Mr. Alexey, thank you very much.
    I have saved very much.

    Thank you.
    Wednesday, January 4, 2012 10:25 AM
  • No problem, its our pleasure. Dont forget to mark the posts above which helped to answer your question as answer(s) and helpful posts as helpful. This is to help other people looking for an answer to similar questions find them more easily.
    Best regards and good luck with your SCOM projects.
    Bob Cornelissen - BICTT (My Blog about SCOM) - Microsoft Community Contributor 2011 Recipient
    • Marked as answer by ty0522 Thursday, January 5, 2012 12:19 AM
    • Unmarked as answer by ty0522 Thursday, January 5, 2012 12:19 AM
    Wednesday, January 4, 2012 7:51 PM
    Moderator