How to Create a CSR for the SCOM Certificate?

Infra teams know how SCOM is important to them. SCOM has made their life easier by providing them with centralized management of workstations and servers. To centrally manage the servers and workstations from the SCOM, all those devices will have to report to the SCOM server. SCOM can manage the machines connected to the domain using the default Kerberos protocol over ports 5723 & 5724. But, all the devices are not part of the same domain. Or, may not be joined to any domains. In such cases, SCOM manages the untrusted or workgroup clients using digital certificates. IT admin should create a CSR on the workgroup computers and submit it to the CA server to get a SCOM certificate for the workgroup computers. Let’s share the procedure for how to create a CSR for the SCOM certificate.

How to Create a CSR for the SCOM Certificate?

How to create a CSR in a Windows server?

Step 1. Open MMC on the Windows server

Hit Win + R to open the Run utilityType mmc in the box.Press Ok.

Step 2. Add Certificate Snap-in

Go to File > Add/Remove Snap-in..

Step 3. Select Certificates and press Add

Step 4. Select the User or Computer Certificate snap-in

Select the snap-in which you want to create the certificate. For demonstration we are choosing Compute account.Click Next.

Step 5. Select Local Computer

Select local computer as you are going to create CSR on the same computer.Click Finish.

Step 6. Select Certificate (Local Computer) and click Ok

Step 7. Create Custom Request

Access your MMC snap in > right-click the Personal folder.Select All Tasks > Advanced Operations > Create Custom Request.

Step 8. CSR generation wizard

The CSR generation wizard will open > Click Next.

Step 9. Proceed Active Directory enrollment policy

Select the option to Active Directory enrollment policy > Click Next.

Step 10. Click Next at the PKCS # 10 window.

Step 11. Edit Active Directory enrollment policy Properties

From the Details drop-down menu > Click Properties.

Step 12. General settings in certificate properties Give a friendly name as you need.

Step 13. Add the subject name and alternate subject name in the subject setting of the certificate properties:

Access the Subject tab > in the Subject name: select the types from the dropdown list and add the values required for your CSR.

Example:
CN = <Comptername.corp.du.ae>DNS = <Computername>

Step 14. Key usage Extension settings in certificate properties:

Expand the ‘key usage‘ under the Extension properties.Add ‘Digital Signature‘ & ‘Key encipherment‘

Step 15. Extended Key usage Extension settings in certificate properties:

Expand the ‘ Extended key usage‘ under the Extension properties.Add ‘Server Authentication‘ & ‘Client Authentication‘

Step 16. Cryptographic service provider settings in certificate properties Expand ‘Cryptographic service provider’ Select ‘Microsoft Enhanced Cryptographic Provider’

Step 17. Set Private Key settings in certificate properties

Select Key size: 2048 and check the option to Make private key exportable > Click OK.

Step 18. Save the CSR file to a location.

Select Base 64 and Click Next > Click Browse.

Step 19. Select a location to save the CSR file. Enter a name for the file and click Save.

Step 20. Click Finish.

Step 21. The CSR file will be present at the location you saved it and can be used to request the SSL certificate as needed.

A typical CSR file will look like this.

You can request a SCOM certificate by submitting the CSR to your certificate authority and get a signed digital certificate for your workgroup computer.

Thanks for reading this post. We believe we have answered the question ‘How to create a CSR for the SCOM certificate?‘ in this post.

You may also like these articles: