Create your own offline Certificate Request for SCOM Off-Domain Server

Posted by : at

Category : troubleshooting   guides


In the below example we are assuming your machine is named IIS-2019.

Create a new file on your machine and name it:

IIS-2019-CertReq.inf

Edit the file to include something similar to the following:

[NewRequest]
Subject="CN=IIS-2019,OU=Servers,O=Support Team,L=Charlotte,S=North Carolina,C=US"
Exportable=TRUE ; Private key is exportable
KeyLength=2048
KeySpec=1 ; Key Exchange – Required for encryption
KeyUsage=0xf0 ; Digital Signature, Key Encipherment
MachineKeySet=TRUE

; Optionally include the Certificate Template
; [RequestAttributes]
; CertificateTemplate="OperationsManager"

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2  ; Client Authentication

[Extensions]
2.5.29.17 = "{text}" ; SAN - Subject Alternative Name
_continue_ = "dns=IIS-2019.contoso.com&"

Open an Administrator Command Prompt and navigate to where you saved the above file.
Run the following:

Certreq -New -f IIS-2019-CertReq.inf IIS-2019-CertRequest.req

Upload the above (IIS-2019-CertRequest.req) file to your Certificate Authority.

Once you receive back your signed certificate, import the Certificate into the Local Computer Personal Certificate Store:

certlm.msc

On a side note. If you run the SCOM Certificate Checker script above and it shows an output that looks like this:
Certificate Checker Script Missing Private Key

You may also notice that the Private Key for the Certificate is missing:
Certificate Private Key Missing

It is possible you may need to run the following command in an Administrator Command Prompt to restore the Keyspec and Private Key (replace the numbers & letters after my with the serial number of your Certificate):

certutil -repairstore my 1f00000008c694dac94bcfdc4a000000000008

certutil Repair Store - Command Output

After you run the certutil command above, you will notice the Certificate is now showing a Private Key (notice the key icon):
Certificate Private Key Present

You should now see this when you run the SCOM Certificate Checker Powershell Script:
Certificate Checker Script Successful

Now you just need to import the Certificate with MOMCertImport (located on the SCOM Installation Media):
MOMCertImport Location

Right Click and Run the Program as Administrator, select the certificate you imported:
Confirm Certificate in MOMCertImport

Page Views


About Blake Drumm
Blake Drumm

I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suite my customers, and my own needs.

Email : bdrummtelco@gmail.com

Website : https://blakedrumm.com

About Blake Drumm

This is the personal technical blog for Blake Drumm. Currently primarly focused towards Microsoft System Center Enterprise Management Products. I am an Microsoft Support Engineer on the System Center North America Support Team. I am new to blogging. But this seems like a good time to start. July 6th, 2021 marks my first day as a Microsoft FTE converting from a contractor. I had been working as a contractor since January 2020 (1 year, 5 months, 22 days)!

Follow @blakedrumm
Useful Links