How to Create a Certificate in an Enterprise CA for Operations Manager 2007

The following procedures provide the steps for obtaining a certificate from an enterprise certification authority (CA) by using Certificate Services, which is a component of Windows 2000 Server and Windows Server 2003. The procedures need to be completed in the following order:

• Create a certificate template.
• Request a certificate from the enterprise CA.
• Import the certificate into Operations Manager, for more information, seeHow to Import Certificates in Operations Manager 2007).
• Import the CA certificate, for more information seeHow to Import a CA Certificate for Use with Operations Manager 2007).

To create a certificate template

1. On the computer that is hosting your enterprise CA, on the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.

2. In the navigation pane, expand the CA name, right-click Certificate Templates, and then click Manage.

3. In the Certificate Templates console, in the results pane, right-click IPSec (Offline request), and then click Duplicate Template.

4. In the Properties of New Template dialog box, on the General tab, in the Template display name text box, type a new name for this template (for example, OperationsManagerCert).

5. In the Request Handling tab, select Allow private key to be exported, and then click CSPs.

6. In the CSP Selection dialog box, select the cryptographic service provider that best suits your business needs, and then click OK.

   Note

   Windows 2000 Server will work with Microsoft Enhanced Cryptographic Provider 1.0. Windows Server 2003 and Windows XP will work with MicrosoftRSASChannelCryptographicProvider.

7. Click the Extensions tab, and in Extensions included in this template, click Application Policies, and then click Remove.

8. In the Edit Application Policies Extension dialog box, click IP security IKE intermediate, and then click Remove.

9. Click Add; in the Application policies list, hold down the CTRL key to multi-select items from the list; click Client Authentication and Server Authentication; and then click OK.

10. In the Edit Application Policies Extension dialog box, click OK.

11. Click the Security tab, ensure that the user's group has Read and Enroll permissions, and then click OK.

To request a certificate from an enterprise CA

1. Log on to the computer where you want to install a certificate (for example, gateway server or Management Server).

2. Start Internet Explorer, and connect to the computer hosting Certificate Services (for example, https://<servername>/certsrv).

3. On the Microsoft Certificate Services Welcome page, click Request a certificate.

4. On the Request a Certificate page, click Or, submit an advanced certificate request.

5. On the Advanced Certificate Request page, click Create and submit a request to this CA.

6. On the Advanced Certificate Request page, do the following:

   1. Under Certificate Template, select the name of the template you created (for example, OperationsManagerCert).

   2. Under Identifying Information For Offline Template, in the Name field, enter a unique name, for example the fully qualified domain name (FQDN) of the computer you are requesting the certificate for. For the rest of the fields, enter the appropriate information.

      Note

      Event ID 20052 of type error is generated if the FQDN entered into the Name field does not match the computer name.

   3. Under Key Options, click Create a new key set, in the CSP field select the cryptographic service provider that bests suits your business needs, under Key Usage select Both, under Key Size select a key size that bests suits your business needs, select Automatic key container name, ensure that Mark keys as exportable selected, clear Export keys to file, clear Enable strong private key protection, and then click Store certificate in the local computer certificate store.

      Note

      Windows 2000 Server will work with Microsoft Enhanced Cryptographic Provider 1.0. Windows Server 2003 and Windows XP will work with MicrosoftRSASChannelCryptographicProvider.

   4. Under Additional Options, under Request Format, select CMC, in the Hash Algorithm list select SHA-1, clear Save request to a file, and then in the Friendly Name field, enter the fully qualified domain name (FQDN) of the computer that you are requesting the certificate for.

   5. Click Submit.

   6. If a Potential Scripting Violation dialog box is displayed, click Yes.

   7. On the Certificate Issued page, click Install this certificate.

   8. If a Potential Scripting Violation dialog box is displayed, click Yes.

   9. On the Certificate Installed page, when you see the message that Your new certificate has been successfully installed, close the browser.

See Also

Tasks

How to Create a Certificate in a Stand-Alone CA for Operations Manager 2007
How to Import a CA Certificate for Use with Operations Manager 2007
How to Import Certificates in Operations Manager 2007
How to Remove a Certificate that was Imported with the MOMCertImport Tool in Operations Manager 2007

Concepts

Certificates in Operations Manager 2007
Mutual Authentication in Operations Manager 2007

Other Resources

About Security in Operations Manager 2007
Security Considerations in Operations Manager 2007

Did you find this information useful? Please send your suggestions and comments about the documentation.