So I ‘m in the process of deploying SCOM 2007 R2 on several computers. Many of these are not members of the domain where SCOM is running and several of them are not even placed in our datacenter. I created a (I think) simple guide on how to install our root CA cert, request a computer certificate, install SCOM tell SCOM to use the certificate, patch it, and accept the client.
Apparently that isn't *that* easy again. The whole certificate thing was taking the most time, so I’ve looked into a way to automate this process. Playing around with different scenarios I stumbled across this blog post. Later while mocking up some code to facilitate it, I also stumbled across this post by same guy. I agree with what he's saying about where to generate key etc. but I was tasked with automating the process so here is my “modified” version. I stripped out authentication and various checks, to simplify it all, for anyone who wants to go down the same road as me. I run the PowerShell script he wrote (rewritten to VB.NET) then submit the BASE64 certificate request to a web service. I then send the request to our internal CA, and then send back the certificate. Then the VB.NET code installs the certificate in the local computer store.
First up, add a cert template according to he's guide here. Next a small console application that will be run at the client. You need to add a reference to certcli.dll and CertEnroll.dll
Then add this class
In main() add
create a web service, add references like in console application. place root CA somewhere accessible, and also add the class ScomCertWrapper
If your really lazy you can also start a process in the client calling MOMCertImport.exe
I properly don’t need to point this out, but I’ll do it anyway. You need to impersonate a (or run the application pool as a ) user who have permission to Enroll certificates based on the template, you should also add some kind authentication on the web service.
If you don’t know what to type as parameter 1 to submitRequest. Set a line break at line 105 in the class, call it from a console application, without specifying CA and choose it from the list that will popup, then inspect strCAConfig and you’ll know what to supply.
Update: so testing this code, I started getting "The requested certificate template is not supported by this CA. 0x80094800". The error was generated at InitializeFromPrivateKey while doing the creating of the Certificate request. Turns out that the last parameter CertificateTemplate requires the Template to be in the clients cache. Well that will never happen we are doing this from non-domain members or foreign domain members. Just set the parameter to an empty string or Nothing and it will work, but then you need to remember to add the template name to the request. If you don’t supply either you will get “Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.” when submitting the request to the CA.