Gateways and agents in untrusted domains/workgroups

  • Article

If you have agents in an untrusted domain/forest or workgroup you will have to install certificates in the environment and either manag the agents through a gateway (minimal number of certs) or by installing certs on the agents directly (many more certs).  There are many places where the process of setting this up is documented in detail - for OpsMgr SP1 the place for documentation is https://technet.microsoft.com/en-us/library/bb735408(TechNet.10).aspx

But, all of the documentation discusses a series of steps that need to be performed manually on the management server host and the gateway/agents connecting to the management server.  While not difficult, the steps can be time consuming and there is notable opportunity for error.

In short, the process for installing a gateway/agent using certs is as follows:

Agents:
--------
Management Server
-Request and install a certificate from the CA
-Request and install the trusted cert from the CA
-Use MOMCertImport to install the certificate for use by the OpsMgr management server

Agent
-Install the agent software on the managed system
-Request and install a certificate from the CA
-Request and install the trusted cert from the CA
-Use MOMCertImport to install the certificate for use by the OpsMgr agent

Gateways:
-----------
Management Server
-Request and install a certificate from the CA
-Request and install the trusted cert from the CA
-Use MOMCertImport to install the certificate for use by the OpsMgr management server
-Run the gateway approval tool BEFORE INSTALLING THE GATEWAY

Gateway
-Install the gateway on the target system
-Request and install a certificate from the CA
-Request and install the trusted cert from the CA
-Use MOMCertImport to install the certificate for use by the OpsMgr agent

The key part of this process is to ensure certificates are correctly requested and imported into the local certificate store(s).  This is where much time can be consumed and errors made.  To assist with this the OpsMgr product team pulled together a simple script that automates the process. 

if {%1} equ {/?} goto USAGE
if {%1} equ {-?} goto USAGE
if {%1} equ {?} goto USAGE
if {%1} equ {} goto USAGE

set subjectname=%1
set certpath=%systemdrive%\OMCertificates

mkdir %certpath%

rem Get the CA's cert
certutil -f -config cahost.contoso.com\CorpCA -ca.cert %certpath%\CACertificate.cer

rem Move the CA's cert to the "Trusted Root Authorities" store
certutil -f -addstore Root %certpath%\CACertificate.cer

rem Create an INF request file with the specified subjectname
del %certpath%\RequestConfig.inf
echo [NewRequest] > %certpath%\RequestConfig.inf
echo Subject="CN=%subjectname%" >> %certpath%\RequestConfig.inf
echo Exportable=TRUE >> %certpath%\RequestConfig.inf
echo KeyLength=1024 >> %certpath%\RequestConfig.inf
echo KeySpec=1 >> %certpath%\RequestConfig.inf
echo KeyUsage=0xf0 >> %certpath%\RequestConfig.inf
echo MachineKeySet=TRUE >> %certpath%\RequestConfig.inf
echo [EnhancedKeyUsageExtension] >> %certpath%\RequestConfig.inf
echo OID=1.3.6.1.5.5.7.3.1 >> %certpath%\RequestConfig.inf
echo OID=1.3.6.1.5.5.7.3.2 >> %certpath%\RequestConfig.inf

rem Create a binary request file from the INF

del %certpath%\BinaryRequest.req
CertReq -New -f %certpath%\RequestConfig.inf %certpath%\BinaryRequest.req

rem Submit the request to our CA and save the certificate
CertReq -Submit -f -config "cahost.contoso.com\CorpCA" %certpath%\BinaryRequest.req %certpath%\NewCertificate.cer

rem This step needed to import the private key. Also puts the certificate in the local computer personal store.
certreq -accept %certpath%\NewCertificate.cer

goto END

:USAGE
echo.
echo GetCert.cmd FQDN_of_machine
echo Example: GetCert.cmd Computer01.Contoso.com
echo Gets and installs a cert from CA cahost.contoso.com (CorpCA) appropriate for OMv3, and also gets and installs CA cert so this CA is trusted.
echo.

:END

Make sure you edit the script to reflect the name of the server in your environment that hosts the CA along with the name of your CA.  From there all you have to do is run the script with the name of the system requesting the certs and the process is completely automated.  This does require that the CA be set to auto-approve certificates and is designed for a standalone root CA.  The script will need to be run two times - once on the management server requesting the cert (unless it has previously been run - only need to do this once for a management server) and once for each gateway/agent that will be requesting a cert.  After that, just rum MOMCertImport and everything should be operational!

Additional information available at the OpsMgr product team blog - https://blogs.technet.com/momteam/archive/2008/06/02/obtaining-certificates-for-ops-mgr.aspx