This is a 3 part series about Mutual Authentication for SCOM.
Mutual Authentication for SCOM Part 1: Root CA
Mutual Authentication for SCOM Part 2: Certificate Request
Mutual Authentication for SCOM Part 3: Prepare Gateway /DMZ server for Mutual Authentication
To be honest this is a big one for me. It took me days to figure out to figure out what I needed to fill in every field and what is required.
So what do you need?
Let’s start with duplicating the required certificate. Go to your root CA and open a new mmc. Hit on “File” and “Add/Remove Snap-in…” Select “Certificate Templates” and add it to the selected snap-ins
Search for IPSec (offline request), right -click and duplicate it.
Leave “Compatibility” as is
In “General” give it a name – I had good experience with something like: Company Name – Use of the Certificate – Validity period – Version number
Check “Allow private key to be exported” in “Request Handling” and leave the rest as is.
Set the minimum key size to “2048” and enable “Microsoft RSA SChannel Cryptographic Provider” and “Microsoft Enhanced Cryptographic Provider v.1.0”
There is nothing to change in “Key Attestation”
and “Superseded Templates”
In “Extensions” edit “Application Policies” remove “IP security IKE intermediate”. Add “Client Authentication” and “Server Authentication”
Next tab is security. You’ve got to give “Authenticated Users” the right to “Enroll”
and we need to add “Domain Computers” allow on “Read”, “Write” and “Enroll”.
“Subject Name”, “Server” and Issurance Requirements can be left in default state.
Okay. So the template is done. Next step is to Add the “Certification Authority” Snap-in. Go down to “Certificate Templates”, right-click on it and click on “New” “Certificate Template to Issue”.
The certificate template will appear what means that it is available for requests by now. So you’re done at the CA. Next step is to request the certificate on your SCOM server. You will find the guide in Part 2.
Submit a comment on “Mutual Authentication for SCOM Part 1: Root CA”