Step-By-Step Procedure To Create A SCOM Certificate Template

System Center Operation Manager or OpsMgr in short SCOM, a tool that plays a key role in maintaining the health of the whole Windows infrastructure of an organization. IT teams use this tool to monitor the health & performance, send configurations, apply OS & app patches, and run the scripts on SCOM agents to keep the health of infra. To make use of SCOM services, all the workstations and servers should be connected and reported to the SCOM servers. SCOM can manage the domain workstations and domain servers using the default Kerberos protocol over network ports 5723 & 5724. But, how SCOM will manage the workgroup computers and the machines that are in a domain that doesn’t trust Ops Manager? This is why SCOM needs digital certificates to manage untrusted SCOM clients. SCOM can manage the untrusted clients by importing certificates in both Gateway or Management Server and the client machine not joined to the domain. This required creating a specific certificate template in the internal CA server to issue the certificates for SCOM clients, the management server, and gateways. So, we have created a detailed step-by-step procedure to create a SCOM certificate template in this post.

Follow this procedure to create a SCOM certificate template on the internal CA servers.

How to Create a SCOM Certificate Template?

Step 1. Open Certificate Authority

Issue the ‘certsrv’ command on the CLI

Step 2. Open certificate management template

Right-click on the ‘Certificate Template’.

Step 3. Create a duplicate template from “Ipsec offline request” template

Step 4. General settings on SCOM certificate template

Fill in the Template Name, Validity, and Renewal Period in the general setting tab

Step 5. Compatibility settings on the SCOM certificate template

Choose ‘Windows Server 2003‘ in the Capability Authority dropdown and Windows XP/ Server 2003 in the ‘Certificate recipient‘ dropdown

Step 6. Request Handling settings on the SCOM certificate template

Set the Purpose to the ‘Signature and Encryption‘ and check the ‘Allow private key to be exported.

Step 7. Cryptography settings on the SCOM certificate template

Set these three settings in the cryptography settings tab.
Provider Category: Legacy Cryptography Service Provider
Algorithm name: Determined by CSP
Minimum Key Size: 1024 or 2048 as per Organisation security requirement.

Select the ‘Request must use one of the following providers‘Click on ‘Microsoft RSA SChannel Cryptographic Provider

Step 8. Key Attestation settings on the SCOM certificate template

The Key Attestation tab should look like the one below

Step 9. Server settings on the SCOM certificate template

It should be like this

Step 10. Application Policy settings on the SCOM certificate template

Edit the ‘Application Policies‘. Add the Server Authentication and Client Authentication Policies to the Application Policy.

Step 11. Application policy in Extension settings on SCOM certificate template

Application policy should look like this

Step 12. Basic Constraints in Extension settings on SCOM certificate template

Take a look at the Basic Constraints in Extension settings

Step 13. Issuance policy in Extension settings on SCOM certificate template

See the Issuance policy in the Extension settings below

Step 14. Key usage in Extension settings on the SCOM certificate template

Edit ‘Key Usage‘Select ‘Digital Signature‘ under the signatureSelect ‘Allow key exchange only with key encryption‘Select ‘Make this extension critical‘

Step 15. Subject Name settings on SCOM certificate template

Select ‘Supply in the request‘

Step 16. Issuance requirements settings on the SCOM certificate template

Your Issuance requirements should be like this

Step 17. Publish the certificate template

After creating the certificate template publish the template.1. Right Click on Certificate Template
2. Click New
3. Click Create Template to issue

Upon creating a SCOM certificate template, create a certificate syringing request from a SCOM client computer and submit the CSR , and get it signed with your internal PKI server. After you get the certificate check the private key is exported along with the certificate as shown here.

Thanks for reading the post. Please share the post with those who are struggling to create a SCOM certificate template on their internal CA server.