Obtaining Certificates for Ops Mgr via Command Line or Script

First published on TECHNET on Jun 02, 2008
If you are deploying Ops Mgr on machines in untrusted domains or DMZs (anywhere outside of Kerberos trust), then you are going to need to leverage PKI and set up certificates on your boxes in order for authentication to work.  The process of requesting and retrieving the needed certificates can be confusing and painful, often involving a great number of steps.  In this post I aim to describe how to use some standard command line tools to get certificates working in Ops Mgr.

The steps for obtaining and installing certificates for Ops Mgr are detailed at http://technet.microsoft.com/en-us/library/bb735408(TechNet.10).aspx If your CA is on a Win2K3 server, and you would prefer to carry out the certificate requesting/approving/retrieving process through the MMC certificate console snap-in and CA web UI, then these steps should work fine for you and you won't find much useful information in this post. If your CA is hosted on a Win2008 server , or you want to learn about command line alternatives, this post will be more interesting for you.

What does Win2008 have to do with it? There was a decision to change the certificate services web UI for Win2008 CAs.  You can read about it at http://support.microsoft.com/kb/922706 The 2008 web UI no longer gives users the option of obtaining a Machine Certificate (previously done by checking the "Store certificate in the local computer store" box when configuring your request).  Unfortunately, this setting is required for Ops Mgr-compatible certificates, so users must now explore other options.

For the purposes of this post, let's say we are setting up certificates between a Gateway and a Management Server.  It is assumed we are logged in to the machines as administrators.  The steps are the same for gateway, management server, or agent.

Obtaining and Installing the CA Certificate

Let's say your Gateway will be presenting the Management Server with a certiciate issued by the certificate authority CorpCA, which is hosted on cahost.contoso.com.  Then your Management Server needs to trust CorpCA as a root certificate authority.  If the Management Server doesn't trust the CA, then the Gateway's client cert is worthless.  This is the motivation behind the CA Certificate.

To dowload the CA certificate from CorpCA and save it as CAcertificate.cer, use the following command line:

certutil -f -config "cahost.contoso.comCorpCA" -ca.cert CAcertificate.cer

To place CACertificate.cer in the Local Computer Trusted Root Certificate Authorities store, use the following command line:

certutil -addstore Root CAcertificate.cer

More information on certutil usage can be found at http://technet2.microsoft.com/windowsserver/en/library/a3d5dbb9-1bf6-42da-a13b-2b220b11b6fe103...

Obtaining and Installing a Client Certificate

Now let's get a client certificate which will be presented when attempting to authenticate.  There are a few steps to do this via command line.

1. Create the INF configuration file

Open Notepad and make a new file named "RequestConfig.inf"  Paste the following text into the file:

(If your CA is stand-alone)

[NewRequest]
Subject="CN=<Machine FQDN>"
Exportable=TRUE
KeyLength=1024
KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2

(If your CA is enterprise and has implemented a template call OpsMgrCertificate as detailed in the above-linked guide)

[NewRequest]
Subject="CN=<Machine FQDN>"
KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE
[RequestAttributes]
CertificateTemplate="OpsMgrCertificate"

2.    Convert the INF into a binary REQ file.

Run the following command line to create BinaryRequest.req from RequestConfig.inf:

certreq -new -f RequestConfig.inf BinaryRequest.req

More information on the syntax of the INF file, as well as detailed usage information for CertReq, can be found at http://technet2.microsoft.com/windowsserver/en/library/008acdeb-0650-4063-a9a2-1258b3229d4f103...

3.    Submit the binary request to the CA and retrieve the resulting certificate.

Run the following command line to submit BinaryRequest.req to CorpCA :

certreq -submit -f -config "cahost.contoso.comCorpCA" BinaryRequest.req

If your CA is set up to auto-approve certificate requests, you will immediately be prompted to save the resulting certificate.  If you anticipate this to be the case, you can optionally skip the Save dialog by specifying the filename you want to save to (for example NewCertificate.cer) as an extra argument to the above command line.

Otherwise the RequestId of your request will be printed to the console.  An admin at the CA must then choose to issue the certificate.  Once the cert is issued, you can retrieve it and save the certificate as NewCertificate.cer by running the following command line:

certreq -retrieve -f -config "cahost.contoso.comCorpCA" <RequestId> NewCertificate.cer

4.    Install the certificate

To install NewCertificate.cer into the Local Computer Personal store, run the following command line:

certreq -accept NewCertificate.cer

And there you have it!  You should now have the needed CA certificate and client certificate, both installed in the proper places.  From here run MOMCertImport.exe (either double click it to use the GUI or run with the /SubjectName command line flag) to have Ops Mgr consume your new certificate and being authenticating with it.  These steps need to be followed on both the Management Server and the Gateway.

Below is a simple batch script GetCert.cmd which ties together all of the steps above.  This script is suitable for stand-alone CorpCA, set to auto-approve all requests.

if {%1} equ {/?} goto USAGE
if {%1} equ {-?} goto USAGE
if {%1} equ {?} goto USAGE
if {%1} equ {} goto USAGE

set subjectname=%1
set certpath=%systemdrive%OMCertificates

mkdir %certpath%

rem Get the CA's cert
certutil -f -config cahost.contoso.comCorpCA -ca.cert %certpath%CACertificate.cer

rem Move the CA's cert to the "Trusted Root Authorities" store
certutil -f -addstore Root %certpath%CACertificate.cer

rem Create an INF request file with the specified subjectname
del %certpath%RequestConfig.inf
echo [NewRequest]                                                 > %certpath%RequestConfig.inf
echo Subject="CN=%subjectname%"                     >> %certpath%RequestConfig.inf
echo Exportable=TRUE                                          >> %certpath%RequestConfig.inf
echo KeyLength=1024                                           >> %certpath%RequestConfig.inf
echo KeySpec=1                                                   >> %certpath%RequestConfig.inf
echo KeyUsage=0xf0                                             >> %certpath%RequestConfig.inf
echo MachineKeySet=TRUE                                   >> %certpath%RequestConfig.inf
echo [EnhancedKeyUsageExtension]                       >> %certpath%RequestConfig.inf
echo OID=1.3.6.1.5.5.7.3.1                                     >> %certpath%RequestConfig.inf
echo OID=1.3.6.1.5.5.7.3.2                                     >> %certpath%RequestConfig.inf


rem Create a binary request file from the INF

del %certpath%BinaryRequest.req
CertReq -New -f %certpath%RequestConfig.inf %certpath%BinaryRequest.req

rem Submit the request to our CA and save the certificate
CertReq -Submit -f -config "cahost.contoso.comCorpCA" %certpath%BinaryRequest.req %certpath%NewCertificate.cer

rem This step needed to import the private key.  Also puts the certificate in the local computer personal store.
certreq -accept %certpath%NewCertificate.cer


goto END

:USAGE
echo.
echo GetCert.cmd FQDN_of_machine
echo Example: GetCert.cmd Computer01.Contoso.com
echo Gets and installs a cert from CA cahost.contoso.com (CorpCA) appropriate for OMv3, and also gets and installs CA cert so this CA is trusted.
echo.

:END