How to renew SCOM Gateway Certificate?

Hello, i’m kinda new to SCOM. How to renew SCOM certificate for SCOM Gateway server in DMZ ?

Hi kazi,

I just did this a few months ago for my DMZ gateways. The process is fairly easy. Here is what I have documented.

Create a Setup Information File for the Certificate Request

1. Log in to the gateway server
2. Open Notepad
3. Copy the following text into the Notepad document:

[NewRequest]

Subject="CN=<FQDN>"

Exportable=TRUE

KeyLength=2048

KeySpec=1

KeyUsage=0xf0

MachineKeySet=TRUE

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1

OID=1.3.6.1.5.5.7.3.2

4. Replace <FQDN> in the text with the fully-qualified domain name of the gateway server
5. Save the file as RequestConfig.inf
6. Close Notepad

Create a Certificate Request File

1. Open a command prompt as an administrator
2. Navigate to the RequestConfig.inf file created in the previous steps
3. Run the following command to generate the request file: CertReq -New -f RequestConfig.inf CertRequest.req
4. Submit the .req file to the certificate administrator to generate the new certificate

Import the Certificate to the Certificate Store

1. Open a management console (mmc.exe) on the gateway server
2. Click the File menu
3. Click Add/Remove Snap-in…
4. Select Certificates from the column on the left
5. Click Add>
6. Select Computer account
7. Click Next>
8. Select Local computer
9. Click Finish
10. Click OK
11. Expand Certificates in the tree in the column on the left
12. Expand the Personal folder
13. Select the Certificates sub-folder under the Personal folder
14. Right-click the Certificates sub-folder
15. Point to All Tasks
16. Click Import…
17. Click Next>
18. Click Browse…
19. Navigate to the .cer file provided by the certificate administrator
20. Click Open
21. Click Next
22. Verify that the certificate will be placed in the Personal certificate store
23. Click Next
24. Click Finish

Import the Certificate into SCOM

1. Open a Command Prompt as an adminstrator
2. Navigate to a folder containing the SCOM Certificate Import tool (MOMCertImport.exe) NOTE: This tool can be found on the SCOM installation media if it has not been copied to the server.
3. Run the following command: MOMCertImport.exe /SubjectName <certificate subject name>
4. Close the Command Prompt Window

Before importing the certificate into SCOM, you may want to export and delete the old certificate from the gateway’s certificate store. The subject name on the old expired/expiring certificate will probably be the same as the new one. I think that I had to do that as the import tool was importing the old certificate instead of the new one.

You also may need to restart the HealthService service on the gateway after importing the new certificate. I don’t remember if I did that or not but I think I did.

I hope that helps.

-Steve

2 Likes