Mutual Authentication for SCOM Part 1: Root CA


This is a 3 part series about Mutual Authentication for SCOM.

Mutual Authentication for SCOM Part 1: Root CA

Mutual Authentication for SCOM Part 2: Certificate Request

Mutual Authentication for SCOM Part 3: Prepare Gateway /DMZ server for Mutual Authentication


To be honest this is a big one for me. It took me days to figure out to figure out what I needed to fill in every field and what is required.

So what do you need?

Let’s start with duplicating the required certificate. Go to your root CA and open a new mmc. Hit on “File” and “Add/Remove Snap-in…” Select “Certificate Templates” and add it to the selected snap-ins

2014-10-14 10_38_12-wsysca000301 - Remote Desktop Connection

Search for IPSec (offline request), right -click and duplicate it.

2014-10-14 10_42_10-wsysca000301 - Remote Desktop Connection

Leave “Compatibility” as is


2014-12-17 17_51_06-wsysca000301 - Remote Desktop ConnectionIn “General” give it a name – I had good experience with something like: Company Name – Use of the Certificate – Validity period – Version number

2014-12-17 17_53_03-wsysca000301 - Remote Desktop ConnectionCheck “Allow private key to be exported” in “Request Handling” and leave the rest as is.

2014-12-17 18_00_16-wsysca000301 - Remote Desktop ConnectionSet the minimum key size to “2048” and enable “Microsoft RSA SChannel Cryptographic Provider” and “Microsoft Enhanced Cryptographic Provider v.1.0”

2014-12-17 18_04_22-wsysca000301 - Remote Desktop ConnectionThere is nothing to change in “Key Attestation”

2014-12-17 18_08_38-wsysca000301 - Remote Desktop Connectionand “Superseded Templates”

2014-12-17 18_12_20-wsysca000301 - Remote Desktop ConnectionIn “Extensions” edit “Application Policies” remove “IP security IKE intermediate”. Add “Client Authentication” and “Server Authentication”

2014-12-17 18_16_53-wsysca000301 - Remote Desktop ConnectionNext tab is security. You’ve got to give “Authenticated Users” the right to “Enroll”

2014-12-17 18_26_13-wsysca000301 - Remote Desktop Connection

and we need to add “Domain Computers” allow on “Read”, “Write” and “Enroll”.

2014-12-17 18_29_22-wsysca000301 - Remote Desktop Connection“Subject Name”, “Server” and Issurance Requirements can be left in default state.

2014-12-17 18_33_51-wsysca000301 - Remote Desktop Connection 2014-12-17 18_34_03-wsysca000301 - Remote Desktop Connection 2014-12-17 18_34_12-wsysca000301 - Remote Desktop ConnectionOkay. So the template is done. Next step is to Add the “Certification Authority” Snap-in. Go down to “Certificate Templates”, right-click on it and click on “New” “Certificate Template to Issue”.

2014-12-17 18_38_28-wsysca000301 - Remote Desktop Connection


The certificate template will appear what means that it is available for requests by now.  So you’re done at the CA. Next step is to request the certificate on your SCOM server. You will find the guide in Part 2.


Submit a comment on “Mutual Authentication for SCOM Part 1: Root CA”

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© 2022 IT-Pirate