Request Template Certificates using CertReq and Powershell

frank October 6, 2015 No Comments

Installing SCOM agents on non-domain servers can be a real time-consuming affair, especially the Create template-request-export-import-certificates procedure.
I decided to use my basic certificate and CertReq knowlegde to create this little script that helps me automate the whole thing.

NOTE: This is meant for inspiration only. If will for the most part not work in your environment unless you heavily modify it.

Basically it requests a new certificate from your CA server, based on a predefined Template.
It then works some magic, and you are left with the *.pfx certificate file with private key, necessary for the SCOM agent on the non-domain server to communicate with the rest of the SCOM environment.

In the end, the certificate can be copied to the non-domain server, and import it using MOMCertImport found in the SCOM Agent Support Tools folder.

#$password = Read-Host -Prompt "Enter Password" -AsSecureString
$server = read-host -Prompt "Enter FQDN for DMZ Server"

$CERTPATH = "Location you want to save Certificate to"
$CAFQDN = "CAserver.domain.net"
$CASERVER = "CAserver.domaint.netIssuing CA1 example"

write-host "Variables set. Continue to create .inf"  -foregroundcolor green

write-host "Generating Certificate INF File..."
$certinf = @"
;---------------CertificateRequestTemplate.inf--------------
[NewRequest]                                                 
Subject="CN=$server"                                       
Exportable=TRUE                                             
KeySpec=1                                                    
KeyUsage=0xf0                                              
MachineKeySet=TRUE                                           
ProviderName="Your Provider"
[RequestAttributes]
CertificateTemplate=CA Template Name
"@

$certinf >> "$CERTPATH$server.inf"


write-host ".inf created. Continue to create .req file"  -foregroundcolor green

CertReq.exe -new "$CERTPATH$server.inf" "$CERTPATH$server.req"

write-host ".req created. Checking to see of files exist"  -foregroundcolor green

$testinf = Test-Path "$CERTPATH$server.inf"
$testreq = Test-Path "$CERTPATH$server.req"

if ($testinf -eq $true){
write-host "$CERTPATH$server.inf successfully generated." -foregroundcolor green
}
else {
write-host "$CERTPATH$server.inf could not be found. Check for errors." -ForegroundColor Red
break
}
if ($testreq -eq $true){
write-host "$CERTPATH$server.req successfully generated." -foregroundcolor green
}
else {
write-host "$CERTPATH$server.req could not be found. Check for errors." -ForegroundColor Red
break
}

write-host "Submitting new Certificate for $server"

CertReq -Submit -config "CAserver.domaint.netIssuing CA1 example" "$CERTPATH$server.req" "$CERTPATH$server.cer"

write-host "Importing .cer"

certreq -accept "$CERTPATH$server.cer"
write-host "All OK. Continue"  -foregroundcolor green


#Exporting certificate with Private Key
write-host "exporting shit with private key"
certutil -exportpfx -p "YOUR CERTIFICATE PASSWORD" my "$server" "$certpath$server.pfx" "nochain" 

#Cleaning
Move-Item -Path "$CERTPATH*cer","$CERTPATH*inf","$CERTPATH*req" -Destination "$CERTPATHold"

And there you have it. The task that normally was done in 10-20 minutes is now done in 10-20 seconds.
I also have a script that copies SCOM agent files to the non-domain server, installs the SCOM agent based on bit-architechture, imports the certificate using MOMCertImport.exe and restarts the Microsoft Monitoring Agent, but this was not written by me, and I don’t remember where I found it (or who to credit) – so if you want it, hit me up in the comment section, and I’ll send it to you.

– F