We have the same circumstances (a SCOM 2007 R2 Gateway server on Windows 2003 R2 and a 2008 Certificates Server)
When following you second step (CertReq -New -f RequestConfig.inf CertRequest.req) I receive the following error message:
Certificate Request Processor: Expected INF file section name 0x0000000 (INF: -536870912) RequestConfig.inf
I appreciate any help you can give me
latki wrote:
There was a decision to remove the "Store certificate in the local computer
12-May-08
There was a decision to remove the "Store certificate in the local computer
certificate store" from the web UI for CAs hosted on Windows Server 2008.
Unfortunately this option is needed for MOM certificates, so you have to use
different methods to get your certificates
Below are the steps to get a certificate using command line tools that ship
with Windows. Delete any old certificates, then follow these steps on each
machine that needs a certificate
1. Get the CA cert and import to the Trusted Root Authorities store (you
already did this it seems
2. Create a text file called RequestConfig.inf with the following content
[NewRequest
Subject="CN=<FQDN of machine>
Exportable=TRU
KeyLength=102
KeySpec=
KeyUsage=0xf
MachineKeySet=TRU
[EnhancedKeyUsageExtension
OID=1.3.6.1.5.5.7.3.
OID=1.3.6.1.5.5.7.3.
3. Create a binary certificate request file CertRequest.req by using the
command line
CertReq -New -f RequestConfig.inf CertRequest.re
4. Submit the request to your CA using the command line
CertReq -Submit -f -config <CA server name>\<CA name> CertRequest.re
5. If your CA is set to auto-approve, you will then be prompted to save the
resulting certificate immediately. Save it as NewCertificate.cer and go to
step 6
Otherwise you will get a message indicating your request has been set to
pending and an admin at the CA will need to approve the request. It will
tell you the RequestId of your request. Have an admin approve it, then run
the following command line to pull down the approved cert and save it as
NewCertificate.cer
CertReq -Retrieve -config <CA server name>\<CA name> -f <RequestId>
NewCertificate.ce
6. Run the command lin
CertReq -accept NewCertificate.ce
Your certificate should now be in the Local Computer Personal store, ready
to go. Run MOMCertImport.exe to have MOM consume this certificate, and
things should work
-Lincol
--
This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified a
http://www.microsoft.com/info/cpyright.ht
"Muson" wrote:
Previous Posts In This Thread:
On Wednesday, May 07, 2008 9:39 AM
Muson wrote:
SCOM generates seft signed certificates
Hello
I have SCOM 2007 sp1 installed in Domain. I also have Stand-alone
Certificate authority. I want to zonitor server in DMZ (workgroup)
I create scom.consoso.local certificate, install it on SCOM server, install
Root certificate, importing with MOMCertimport.exe, registry value is the
same like in Local computer -> Personal -> Certificate (Certificates MMC
local computer)
I do the same with server in dmz, with name server01
But in server01, OpsMgr event log I can see events 20067, 21002, 20070,
21002... mutual authentication failed, certificate chain error (root not
trusted...)..
Name resolutions works fine, with FQDN (both ways). All ports are open, i
can telnet from agent to SCOM 5723 port
These certificates are 100% valid, and they do trust Root
I found that Everytime Health service starts (restarts) it generate Self
signed certificate in Local computer -> Operations Manager -> Certificates
(Certificates MMC local computer)
If i delete this certificate, ant put my created certificate, health service
will recreate new certificate. (same thing on agent and scom server
So am not sure, if health service should create these certificates, if it's
normal, what could be the couse why agent and scom can't communicate
-
Muson
On Wednesday, May 07, 2008 1:56 PM
latki wrote:
Yes, the self-signed certificate in the Ops Mgr store is supposed to be
Yes, the self-signed certificate in the Ops Mgr store is supposed to be
created at each healthservice startup, and is unrelated to cross-domain cert
authentication, so no worries there.
From your description it sounds like you did correct steps for configuring
certs, so let me ask a couple questions to see if we can figure out the
problem.
- After running MOMCertImport, are you getting success events? If
healthservice loads the cert succesfully you should see event 20053.
- Are all certificates (client and root) coming from the same CA?
Thanks,
-Lincoln
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Muson" wrote:
On Thursday, May 08, 2008 3:37 AM
Muson wrote:
Hi Lincoln,After MOMCertImport i restarted SCOM server, and same on agentYes,
Hi Lincoln,
After MOMCertImport i restarted SCOM server, and same on agent
Yes, both agent and SCOM agent have 20053 event, - certificate loaded
succesfully.
And both certitficates are created from one Certificate Authority
--
Muson
"Lincoln Atkinson [MSFT]" <***@online.microsoft.com> wrote in message news:FB7A118E-C083-46B3-B62E-***@microsoft.com...
On Thursday, May 08, 2008 9:51 AM
WillKaise wrote:
Would you mind posting the descriptions for each of the errors that you're
Would you mind posting the descriptions for each of the errors that you're
seeing in the event log?
I've setup agents and gateway servers in numerous environements and the
steps you followed sound correct. Some questions:
- Are you using the cert home page on your CA to request and install both
Root CA certs and OpsMgr certs?
- Are the CDP's specified in your OpsMgr cert available to DMZ machines?
- Did you create a cert template as specified in the Security Guide?
"Muson" wrote:
On Friday, May 09, 2008 4:20 AM
Muson wrote:
Hello,I created certificate in my stand-alone RootCA and enrolled certificates
Hello,
I created certificate in my stand-alone RootCA and enrolled certificates
through web - Request a Certificate -> Create and submit a Request to this
CA, entering FQDN of RMS server ("scom.consoso.com", and for dmz server -
"server01"), template "other" and typed OID: 1.3.6.1.5.5.7.3.1,
1.3.6.1.5.5.7.3.2, mark key as exportable, 1024. (One thing, for some reason
i can't see in web enrollment page "Store certificate in the local computer
certificate store") So certificated is installed in User personal
certificate conteiner (certificates mmc), I drag & drop to Local computer ->
personal container.
CDP-what? :)
As i understand certificate templates are for Enterprise CA and mine's
Stand-Alone. But eventualy i will create Enterprise CA and test it with
templates.
--
Muson
"Will Kaiser" <***@discussions.microsoft.com> wrote in message news:65CEF29E-25CF-478E-85A4-***@microsoft.com...
On Friday, May 09, 2008 3:11 PM
latki wrote:
(One thing, for some reason Let me guess, your CA is on a Windows Server 2008
(One thing, for some reason
Let me guess, your CA is on a Windows Server 2008 machine? If this is the
case I know the issue and can get you fixed up.
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Muson" wrote:
On Monday, May 12, 2008 2:31 AM
Muson wrote:
Re: SCOM generates seft signed certificates
Yep, CA is on 2008.
--
Muson
On Monday, May 12, 2008 10:28 PM
latki wrote:
There was a decision to remove the "Store certificate in the local computer
There was a decision to remove the "Store certificate in the local computer
certificate store" from the web UI for CAs hosted on Windows Server 2008.
Unfortunately this option is needed for MOM certificates, so you have to use
different methods to get your certificates.
Below are the steps to get a certificate using command line tools that ship
with Windows. Delete any old certificates, then follow these steps on each
machine that needs a certificate.
1. Get the CA cert and import to the Trusted Root Authorities store (you
already did this it seems)
2. Create a text file called RequestConfig.inf with the following content:
[NewRequest]
Subject="CN=<FQDN of machine>"
Exportable=TRUE
KeyLength=1024
KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2
3. Create a binary certificate request file CertRequest.req by using the
command line:
CertReq -New -f RequestConfig.inf CertRequest.req
4. Submit the request to your CA using the command line:
CertReq -Submit -f -config <CA server name>\<CA name> CertRequest.req
5. If your CA is set to auto-approve, you will then be prompted to save the
resulting certificate immediately. Save it as NewCertificate.cer and go to
step 6.
Otherwise you will get a message indicating your request has been set to
pending and an admin at the CA will need to approve the request. It will
tell you the RequestId of your request. Have an admin approve it, then run
the following command line to pull down the approved cert and save it as
NewCertificate.cer:
CertReq -Retrieve -config <CA server name>\<CA name> -f <RequestId>
NewCertificate.cer
6. Run the command line
CertReq -accept NewCertificate.cer
Your certificate should now be in the Local Computer Personal store, ready
to go. Run MOMCertImport.exe to have MOM consume this certificate, and
things should work.
-Lincoln
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Muson" wrote:
On Wednesday, May 14, 2008 3:21 AM
Muson wrote:
Thanks LinkolnNow everything works great.
Thanks Linkoln
Now everything works great.
--
Muson
On Wednesday, March 11, 2009 12:16 PM
Chris C wrote:
SCOM certificates in a DMZ
Hello
I have a similar situation in that I have SCOM 2007 sp1 installed in Domain. I also have Stand-alone Certificate authority in the same domain but on a 2003 Enterprise server. I want to monitor a single server in DMZ (workgroup). My problem is due to firewall restrictions this server is unable to access the CA to request a certificate. Is there another way to request a client/server certificate for the isolated server and install it?
On Friday, November 13, 2009 11:10 AM
Avraham Eisen wrote:
Receiving error when following your steps
We have the same circumstances (a 2003 Gateway server and a 2008 Certificates Server)
When following you second step (CertReq -New -f RequestConfig.inf CertRequest.req) I receive the following error message:
Certificate Request Processor: Expected INF file section name 0x0000000 (INF: -536870912) RequestConfig.inf
I appreciate any help you can give me
On Friday, November 13, 2009 11:11 AM
Avraham Eisen wrote:
Receiving error when following your steps
We have the same circumstances (a 2003 Gateway server and a 2008 Certificates Server)
When following you second step (CertReq -New -f RequestConfig.inf CertRequest.req) I receive the following error message:
Certificate Request Processor: Expected INF file section name 0x0000000 (INF: -536870912) RequestConfig.inf
I appreciate any help you can give me
EggHeadCafe - Software Developer Portal of Choice
An Alexa Site Data Utility Class
http://www.eggheadcafe.com/tutorials/aspnet/4d6af8d7-b41a-4e72-805e-0069a2601d21/an-alexa-site-data-utilit.aspx