Infra teams know how SCOM is important for them. SCOM has made their life easier by providing them centralized management of workstations and servers. To centrally manage the servers and workstations from the SCOM, all those devices will have to report to the SCOM server. SCOM can manage the machines connected to the domain using the default Kerberos protocol over the ports 5723 & 5724. But, all the devices are not part of the same domain. Or, may not be joined to any domains. In such cases, SCOM manages the untrusted or workgroup clients using digital certificates. IT admin should create a CSR on the workgroup computers and submit it to the CA server to get a SCOM certificate for the workgroup computers. Let’s share the procedure how to create a CSR for the SCOM certificate.
Table of Contents
How to Create a CSR for the SCOM Certificate?
Time needed: 5 minutes
How to create a CSR in a Windows server?
- Open MMC in Windows server
Hit Win + R to open the Run utility
Type mmc in the box.
- Add Certificate Snap-in
Go to File > Add/Remove Snap-in..
- Select Certificates and press Add
- Select the User or Computer Certificate snap-in
Select the snap-in which you want to create the certificate. For demonstration we are choosing Compute account.
- Select Local Computer
Select local computer as you are going to create CSR on the same computer.
- Select Certificate (Local Computer) and click Ok
- Create Custom Request
Access your MMC snap in > right click the Personal folder.
Select All Tasks > Advanced Operations > Create Custom Request.
- CSR generation wizard
The CSR generation wizard will open > Click Next.
- Proceed Active Directory enrollment policy
Select the option to Active Directory enrollment policy > Click Next.
- Click Next at the PKCS # 10 window.
- Edit Active Directory enrollment policy Properties
From the Details drop-down menu > Click Properties.
- General settings in certificate properties
Give a friendly name as you need.
- Add the subject name and alternate subject name in the subject setting of the certificate properties:
Access the Subject tab > in the Subject name: select the types from the dropdown list and add the values required for your CSR.
CN = <Comptername.corp.du.ae>
DNS = <Computername>
- Key usage Extension settings in certificate properties:
Expand the ‘key usage‘ under the Extension properties.
Add ‘Digital Signature‘ & ‘Key encipherment‘
- Extended Key usage Extension settings in certificate properties:
Expand the ‘ Extended key usage‘ under the Extension properties.
Add ‘Server Authentication‘ & ‘Client Authentication‘
- Cryptographic service provider settings in certificate properties
Expand ‘Cryptographic service provider’
Select ‘Microsoft Enhanced Cryptographic Provider’
- Set Private Key settings in certificate properties
Select Key size: 2048 and check the option to Make private key exportable > Click OK.
- Save the CSR file to a location.
Select Base 64 and Click Next > Click Browse.
- Select a location to save the CSR file. Enter a name for the file and click Save.
- Click Finish.
- The CSR file will be present at the location you saved it and can be used to request the SSL certificate as needed.
A typical CSR file will look like this.
Thanks for reading this post. We believe we have answered the question ‘How to create a CSR for the SCOM certificate?‘ in this post.