Obtaining Certificates for Non-Domain Joined Agents Made Easy With Certificate Generation Wizard
Published Feb 14 2019 08:33 PM 7,321 Views
First published on TECHNET on Aug 22, 2008

We have created a new UI tool to make obtaining mass certificates easy.

Here at OpsMgr, we understand the pain that you have to go through to configure certificate authentication to deploy non-domain joined agents.  There are many things we've provided for you to make obtaining certificates easier. However, we know we're far from getting to that seamless solution, and are continually providing new tools to help facilitate this process.

Here's a quick lowdown: To mutually authenticate the non-domain joined agent, both the non-domain joined agent and the server both require a personal computer certificate and a root CA certificate.  This can be accomplished through two basic steps:

1.  Request and acquire the certs from a Certification Authority (CA).

Your company may already have an Enterprise CA set up if using PKI, but if not, you can install a CA (just add it as a role, like you do any other role in Win2K3 and up) and request certificates from there.

2.  Install the certificates onto the local machine certificate store of the agent and server computer. Run MOMCertImport.exe tool.

This step is required to, in a sense, "register" your certificates to your computer.  The MOMCertImport tool will alert OpsMgr of which certificates you would like to use.

To make it easy, we have developed a tool (attached below as CertGenBinaries.zip) to help simplify the process.

CertGenWizard.exe is a wizard tool which will take your CA information as input (it isn't required if you are running the wizard on the box with the CA), take in the computer names (has to be FQDNs), and send out a request for the certificates you need.  Now, you no longer have to fill out the Certificate Request form or enter parameters or connect to the web enrollment service.  Once the certificates are approved, there is a Retrieve button in the CertGenWizard which will allow you to retrieve the certificates that you have requested.  On top of the personal certificates, the wizard will retrieve the root CA certificate.

The biggest benefit to this tool is the added ability to request multiple certificates at once.  If you have 100 non-domain joined agents that you need to set up cert auth for, you can simply request all 100 machine certificates at once, retrieve them all, and manually bring them over to your other machines.

Once you have brought them to your other machines, CertInstaller.exe is a second tool that will install the certificates into the local machine store of your computer and run MOMCertImport.exe for you. Note: Install OpsMgr Agent FIRST and then run the tool!

Below are the steps to using the tool:


-.NET Framework 3.0

-A Certification Authority (Win2K3/Win2K8 Enterprise/Stand-alone CA)

-If it is an Enterprise CA (an OpsMgr certificate template must be created)

- make sure createReqFile.bat is in the same directory as the CertGenWizard.exe

-MOMCertImport.exe must be in the same directory as CertInstaller.exe.

Using CertGenWizard.exe:

Installing the wizard:

  1. Download the .zip file and unzip it on to a computer with a CA or that has access to a CA.

  2. Run CertGenWizard.exe.

Requesting certificates:

  1. Discover your CA page - Supply your CA information to find a particular CA to use.  If you don't have a CA installed, you'll have to install one yourself. Note: The wizard won't continue if it doesn't detect a CA.

  2. Certificate Request page - Enter the FQDNs of the computers you need certificates for (all the agents and servers), a save directory. Note: If you have an Enterprise CA, a drop down box will appear and you must select a certificate template.  This must be created beforehand by your CA admin.  The instructions to create an OpsMgr cert template are included in the OpsMgr Security Guide.

  3. Hit Create.


A processing page will pop up showing the status of each certificate request.

The root CA certificate will also be downloaded at this level and saved as RootCertificate.cer.

Retrieving certificates:

  1. If auto-approve is on, your certificates will be retrieved automatically.  You're done.

  2. Otherwise, the pending certificates will be displayed in the next screen.

  3. Ask your CA admin to approve the requests. At this point you can close the wizard and come back to it. If you are the CA Admin, log on to your CA machine, run cmd --> certsrv.msc to open your CA console.  Go to Pending Requests, and find the request ID of the certificates you have requested and issue them.  Close the console once you're done.

  4. Open your wizard if it's closed, view your pending Certificate Requests and hit Retrieve.


The final page will alert you of your status.  It will alert you to say which certificates have been denied, which have been approved, and which still are pending.

Using the Certificate Installer:

Note: Install the OpsMgr agents BEFORE running the Installer.

What you need on the agent machine:

  • CertInstaller.exe

  • The generated machine certificate (ex. server1.contoso.com.cer)

  • Root certificate (RootCertificate.cer)

  • MOMCertImport.exe.

  1. Load the machine certificate.

  2. Load the root certificate.

  3. Click install.

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included utilities are subject to the terms specified at

-Adam Kiu

System Center Operations Manager


Version history
Last update:
‎Mar 11 2019 08:05 AM
Updated by: