Hello, i’m kinda new to SCOM. How to renew SCOM certificate for SCOM Gateway server in DMZ ?
I just did this a few months ago for my DMZ gateways. The process is fairly easy. Here is what I have documented.
Create a Setup Information File for the Certificate Request
1. Log in to the gateway server 2. Open Notepad 3. Copy the following text into the Notepad document: [NewRequest] Subject="CN=<FQDN>" Exportable=TRUE KeyLength=2048 KeySpec=1 KeyUsage=0xf0 MachineKeySet=TRUE [EnhancedKeyUsageExtension] OID=188.8.131.52.184.108.40.206.1 OID=220.127.116.11.18.104.22.168.2 4. Replace <FQDN> in the text with the fully-qualified domain name of the gateway server 5. Save the file as RequestConfig.inf 6. Close Notepad
Create a Certificate Request File
1. Open a command prompt as an administrator 2. Navigate to the RequestConfig.inf file created in the previous steps 3. Run the following command to generate the request file: CertReq -New -f RequestConfig.inf CertRequest.req 4. Submit the .req file to the certificate administrator to generate the new certificate
Import the Certificate to the Certificate Store
1. Open a management console (mmc.exe) on the gateway server 2. Click the File menu 3. Click Add/Remove Snap-in… 4. Select Certificates from the column on the left 5. Click Add> 6. Select Computer account 7. Click Next> 8. Select Local computer 9. Click Finish 10. Click OK 11. Expand Certificates in the tree in the column on the left 12. Expand the Personal folder 13. Select the Certificates sub-folder under the Personal folder 14. Right-click the Certificates sub-folder 15. Point to All Tasks 16. Click Import… 17. Click Next> 18. Click Browse… 19. Navigate to the .cer file provided by the certificate administrator 20. Click Open 21. Click Next 22. Verify that the certificate will be placed in the Personal certificate store 23. Click Next 24. Click Finish
Import the Certificate into SCOM
1. Open a Command Prompt as an adminstrator 2. Navigate to a folder containing the SCOM Certificate Import tool (MOMCertImport.exe) NOTE: This tool can be found on the SCOM installation media if it has not been copied to the server. 3. Run the following command: MOMCertImport.exe /SubjectName <certificate subject name> 4. Close the Command Prompt Window
Before importing the certificate into SCOM, you may want to export and delete the old certificate from the gateway’s certificate store. The subject name on the old expired/expiring certificate will probably be the same as the new one. I think that I had to do that as the import tool was importing the old certificate instead of the new one.
You also may need to restart the HealthService service on the gateway after importing the new certificate. I don’t remember if I did that or not but I think I did.
I hope that helps.