Installing SCOM agents on non-domain servers can be a real time-consuming affair, especially the Create template-request-export-import-certificates procedure.
I decided to use my basic certificate and CertReq knowlegde to create this little script that helps me automate the whole thing.
NOTE: This is meant for inspiration only. If will for the most part not work in your environment unless you heavily modify it.
Basically it requests a new certificate from your CA server, based on a predefined Template.
It then works some magic, and you are left with the *.pfx certificate file with private key, necessary for the SCOM agent on the non-domain server to communicate with the rest of the SCOM environment.
In the end, the certificate can be copied to the non-domain server, and import it using MOMCertImport found in the SCOM Agent Support Tools folder.
#$password = Read-Host -Prompt "Enter Password" -AsSecureString $server = read-host -Prompt "Enter FQDN for DMZ Server" $CERTPATH = "Location you want to save Certificate to" $CAFQDN = "CAserver.domain.net" $CASERVER = "CAserver.domaint.netIssuing CA1 example" write-host "Variables set. Continue to create .inf" -foregroundcolor green write-host "Generating Certificate INF File..." $certinf = @" ;---------------CertificateRequestTemplate.inf-------------- [NewRequest] Subject="CN=$server" Exportable=TRUE KeySpec=1 KeyUsage=0xf0 MachineKeySet=TRUE ProviderName="Your Provider" [RequestAttributes] CertificateTemplate=CA Template Name "@ $certinf >> "$CERTPATH$server.inf" write-host ".inf created. Continue to create .req file" -foregroundcolor green CertReq.exe -new "$CERTPATH$server.inf" "$CERTPATH$server.req" write-host ".req created. Checking to see of files exist" -foregroundcolor green $testinf = Test-Path "$CERTPATH$server.inf" $testreq = Test-Path "$CERTPATH$server.req" if ($testinf -eq $true){ write-host "$CERTPATH$server.inf successfully generated." -foregroundcolor green } else { write-host "$CERTPATH$server.inf could not be found. Check for errors." -ForegroundColor Red break } if ($testreq -eq $true){ write-host "$CERTPATH$server.req successfully generated." -foregroundcolor green } else { write-host "$CERTPATH$server.req could not be found. Check for errors." -ForegroundColor Red break } write-host "Submitting new Certificate for $server" CertReq -Submit -config "CAserver.domaint.netIssuing CA1 example" "$CERTPATH$server.req" "$CERTPATH$server.cer" write-host "Importing .cer" certreq -accept "$CERTPATH$server.cer" write-host "All OK. Continue" -foregroundcolor green #Exporting certificate with Private Key write-host "exporting shit with private key" certutil -exportpfx -p "YOUR CERTIFICATE PASSWORD" my "$server" "$certpath$server.pfx" "nochain" #Cleaning Move-Item -Path "$CERTPATH*cer","$CERTPATH*inf","$CERTPATH*req" -Destination "$CERTPATHold"
And there you have it. The task that normally was done in 10-20 minutes is now done in 10-20 seconds.
I also have a script that copies SCOM agent files to the non-domain server, installs the SCOM agent based on bit-architechture, imports the certificate using MOMCertImport.exe and restarts the Microsoft Monitoring Agent, but this was not written by me, and I don’t remember where I found it (or who to credit) – so if you want it, hit me up in the comment section, and I’ll send it to you.
– F