Home > OpsMgr 2012 > Creating OpsMgr 2012 Gateway Server Certificates

Creating OpsMgr 2012 Gateway Server Certificates

This post will provide step by step instructions on acquiring and importing the Root CA from the Domain where Operations Manager resides, and importing into the Gateway certificate store. This section also details how to request and apply a certificate for the Gateway server.

Prerequisites

  • Disk space: %SYSTEMDRIVE% requires at least 1024 MB free hard disk space.
  • Server Operating System: must be Windows Server 2008 R2 SP1, Windows Server 2012, or Windows Server 2012 Core Installation.
  • Processor Architecture: must be x64.
  • Windows PowerShell version: Windows PowerShell version 2.0, or Windows PowerShell version 3.0.
  • Microsoft Core XML Services (MSXML) version: Microsoft Core XML Services 6.0 is required for the management server.
  • .NET 3.51 SP1
  • .NET Framework 4 is required if the Gateway server manages UNIX/Linux agents or network devices.

Installation

Create the Operations Manager Gateway Certificate

This section will provide the process of how to create a certificate to use for the Gateway server(s).

Perform the following steps on the PKI Certificate Server.

Open the Certification Authority program. Expand the CA Server, right click Certificate Templates and select Manage.

The Certificate Templates window will open. Right click IPSec (Offline request) and select Duplicate Template.

The Duplicate Template window will open. Keep the default selection Window Server 2003 Enterprise. Click OK.

The Properties of the New Template window will open. In the Template display name field type in Operations Manager 2012 Gateway Certificate. The Template name will duplicate what is typed in above. Keep the Validity period at 2 years and Renewal period at 6 weeks. Click on the Request Handling tab.

Select Allow private key to be exported.

Click on the Security tab.

Click on Authenticated Users. Check Enroll. Click on the Extensions tab.

Select Application Policies and click Edit.

Remove IP security IKE intermediate. Click Add

Add Client Authentication and Server Authentication. Click OK.

Click OK to close out of the Properties of New Template.

Notice the newly created template. Close out of the Certificate Templates Console.

From the Certificate Authority, right click Certificate Templates. Select New and select Certificate Template to Issue.

The Enable Certificate Templates window will open. Locate the Operations Manager 2012 Gateway Certificate template. Click OK.

The Certificate is ready for issuing. Close out of the Certificate Authority.

Request the Operations Manager Certificate for the Management Server

On the Management Server, we also need to install a certificate. Since we have an Enterprise Root CA, integrated with AD, the root CA certificate is already trusted by our Management Server who is a domain member. This section will walk through requesting the Operations Manager 2012 Gateway certificate.

Perform the following steps on the Management Server.

Open the Local Computer certificate store on the management server.

Import the certificate that was created earlier. Select Request New Certificate

The Certificate Enrollment window will open. Click Next.

The Select Certificate Enrollment Policy window will open. Select Active Directory Enrollment Policy. Click Next

The extra information needed is the Common Name in the first box (opsmgr.lab.ad) and the FQDN in the bottom box with DNS.

Fill in the values and click add under Subject Name and Alternative name.

Type: Common Name:opsmgr.lab.ad

Alternate Name:

Type: DNS: opsmgr.lab.ad

Click OK

Click Enroll

Verify the status succeeded. Click Finish.

The certificate now appears in the Local Computer Personal Certificates Store

Request the Operations Manager Certificate for the Gateway Server

The gateway is not part of the same domain as Operations Manager. And does not trust the Enterprise CA by default. The process below will walk through getting and installing the Root CA certificate from the AD CS.

Perform the following steps on the Gateway Certificate Server.

Open an MMC.

Open the Add or Remove Snap-ins. Select Certificates. Click Add.

The Certificates snap-in window will open. Select Computer account. Click Next.

The Select Computer window will open. Select Local computer. Click Finish.

Repeat the process to add the current user account.

The Certificates snap-in window will open. Select My user account. Click Finish.

Notice both the Certificates (LocalComputer) and Certificates – Current User are listed in the Selected snap-ins column. Click OK.

Expand Trusted Root Certification Authorities. Notice the certificate from the Root CA needs to be added to the Trusted Root Certification Authorities list.

Open a web browser on the Gateway Server, and browse to the Microsoft Active Directory Certificate Services website on the Domain:

http://certificateserver/certsrv Select Download a CA certificate, certificate chain or CRL.

The Web Access Confirmation windows will open. Click Yes.

The Download a CA Certificate, Certificate chain, or CRL window will open. Select Base 64. Click Download CA certificate chain

The File download window will open. Click Save.

Save the file to a location that is easily accessible. Click Save.

Within the MMC import the certificate into the local computer.

The Certificate Import Wizard window will open. Click Next.

Browse to the saved location. Change the file type to PKCS #7 Certificates. Click Open

The file should appear in the File name field. Click Next.

The Certificate will be placed in the Trusted Root Certification Authorities. Click Next.

Click Finish to import the Root Certificate.

The Certificate is now in the list. This means the Gateway Server will trust certificates issued by the Enterprise Root CA.

The Steps below will walk through creating a requesting the Operations Manager Certificate for the gateway server.

Request a Certificate from the CA

Note: For target servers running W2K3, do the following steps from that machine; if target is W2K8, run the following from a W2K3 server instead

Open Internet Explorer and browse to http://<cert server>/certsrv

Select Request a certificate

The Request a Certificate webpage will open.

Select advanced certificate request

The Advanced certificate request webpage will open. Select Create and submit a request to this CA.

Select the template that was created earlier, and fill in the Name and Friendly Name fields with the FQDN of the Gateway Server.

If the Gateway server is in a workgroup, the NetBIOS name is sufficient.

Ensure the Request Format is PKCS10. Click Submit

The Certificate is now generated. Click on Install Certificate.

The Certificate has been successfully installed. Note: this is saved to the Personal certificate store.

We need to authenticate computers, and the certificate is imported in the Personal certificate store. Open the Certificates MMC and copy the certificate from the personal store to the local computer store.

The certificate will now reside in the Local Computer Certificates Store.

The certificate is now installed and you can verify everything is installed correctly by opening the certificate and checking if the certification path is ok.

Import the MOMCertImport to the Management Server

This section provides step-by-step instructions on importing the certificate to the Management Server using the MOMCertImport.exe utility.

Perform the following steps on the Management Server virtual machine.

Copy the MOMCertImport.exe tool from the installation media to the gateway server, into the gateway installation path (IE: D:\Program files\System Center 2012\ Operations Manager\Server).

From the Management Server, browse to the Local Computer Certificate store. Under personal select the certificate and choose Export.

The Certificate Export Wizard window will open. Click Next.

The Export Private Key window will open. Click Yes, export the private key. Click Next.

The Export File Format windows will open. Ensure Export all extended properties is checked. Click Next

The Password window will open. Type and confirm a password. Click Next.

Specify a name and location to save the exported certificate to that is easily accessible. Click Next.

Click Finish to complete the export.

The Certificate Export Wizard window will open. Verify the export was successful. Copy the file to a location that is accessible to the Gateway Server. Click OK.

Open a command prompt with
Administrator Credentials on the Management server. Browse to the installation folder on the Gateway
Server and run tine following command:

Momcertimport.exe D:\Sources\Certificates\opsmgr.pfx

A prompt will appear to Enter certificate password. Enter the certificate password. Hit Enter.

After a few moments, a message will appear. Verify Successfully installed the certificate. Please Check Operations Manager in event viewer to check channel connectivity appears. Close out of the command prompt window

Import the MOMCertImport on Gateway Server

Perform the following steps on the Gateway Server virtual machine.

Copy the MOMCertImport.exe tool from the installation media to the gateway server, into the gateway installation path.

From the Management Server, browse to the Local Computer Certificate store. Under personal select the certificate and choose Export.

The Certificate Export Wizard window will open. Click Next.

The Export Private Key window will open. Click Yes, export the private key. Click Next.

The Export File Format windows will open. Ensure Export all extended properties is checked. Click Next

The Password window will open. Type and confirm a password. Click Next.

Specify a name and location to save the exported certificate.

Click Finish to complete the export.

Verify the export was successful. Copy the file to a location that is accessible to the Gateway Server.

Open a command prompt on the Management Server. Browse to the gateway installation folder and run tine following command:

Momcertimport.exe D:\Sources\Certificates\OpsMgrMS01.pfx

Enter the certificate password.

Verify the certificate installed successfully.

Approve Gateway to communicate with the Management sever

Perform the following steps on the Management Server virtual machine.

Browse the installation media to Supporttools\AMD64.

Select the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe and Microsoft.EnterpriseManagement.GatewayApprovalTool.exe.CONFIG files and Copy

Paste the files to the Operations Manager\Setup folder. (IE: D:\Program Files\System Center 2012\Operations Manager\Setup)

Open a Command Prompt with Run as Administrator

Browse to the Operations Manager installation folder. Configure the command line to match below:

MICROSOFT.ENTERPRISEMANAGEMENT.GATEWAYAPPROVALTOOL.EXE /managementservername=opsmgr.lab.ad /gatewayname=dc01.lab.ad /Action=Create

The process will take a few minutes to complete.

If the approval is successful, you will see the approval of server <GatewayFQDN> completed successfully.

Install Gateway Server

Perform the following steps on the Gateway Management Server virtual machine.

Browse to the media source. Locate the Autorun.exe and double click on it to start the install. The Systems Center Configuration Manager window will open. Select Gateway management server

The Operations Manager Gateway Server Setup window will open.

The Destination Folder window will open. Specify the installation folder. Click Next.

The Management Group Configuration window will open. Specify the information: Click Next.

The Gateway Action Account window will open. Select the type of Action Account to gather the operational data. Local System. Click Next.

The Microsoft Update window will open. Select whether or not to provide feedback. Click Next.

The Ready to Install window will open. Review the installation settings. Click Install.

The installation will take a few Moments to complete.

Click Finish.

Troubleshooting

Perform the following steps on the Gateway Management Server virtual machine.

If an event ID 21006 appears, make sure the firewalls on the gateway and/or on the management server are not blocking communication

Select Allow this server to act as a proxy and discover managed objects on other computers. This one will act as a proxy for other systems that will connect trough the gateway server.

Categories: OpsMgr 2012
  1. October 11, 2014 at 1:27 am

    Helpful information. Fortunate me I discovered your web site accidentally,
    and I’m surprised why this twist of fate didn’t came about earlier!
    I bookmarked it.

  2. darren
    February 25, 2015 at 2:38 pm

    Hi I’m following your instructions but have got a bit lost.
    Under section “Import the MOMCertImport on Gateway Server”
    You say..
    Perform the following steps on the GATEWAY Server virtual machine.
    Copy the MOMCertImport.exe tool from the installation media to the gateway server, into the gateway installation path.
    From the MANAGEMENT Server, browse to the Local Computer Certificate store. Under personal select the certificate and choose Export.

    Your jpeg shows the OpsMgr Cert – not the GATEWAY cert. Have I missed something?

    Should the MOMCertImport tool be run on the MS Server and then importing the Cert from GATEWAY? I thought the MS Server should import the OpsMgr Cert.

    • March 1, 2015 at 4:49 pm

      You need to export the Management server certificate that the gateway server will communicate with and then import it into the gateway server using the momcertimport tool. This is part of what is needed to establish a trusted communication.

      Thanks,

      Tom

  3. STU
    August 17, 2015 at 8:22 am

    Hi Tom,
    first of all – great guide, you’ve put a lot of work in it.
    Like darren I also find the steps in regards to the certificate import with MOMCertImport a bit confusing. From what I know and what I have found in almost all Microsoft articles you have to use the MOMCertImport on the MS to import the MS certificate and to use the tool on the Gateway to import the GW cert. From your words above I get the impression that you are importing the MS cert on the Gateway and the GW cert on the Management Server? Is this right? I am a bit confused.
    Thanks in advance for your answer!
    Regards,
    STU

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: