How to renew SCOM Gateway Certificate?

Hello, i’m kinda new to SCOM. How to renew SCOM certificate for SCOM Gateway server in DMZ ?

Hi kazi,

I just did this a few months ago for my DMZ gateways. The process is fairly easy. Here is what I have documented.

Create a Setup Information File for the Certificate Request

1. Log in to the gateway server
2. Open Notepad
3. Copy the following text into the Notepad document:

[NewRequest]

Subject="CN=<FQDN>"

Exportable=TRUE

KeyLength=2048

KeySpec=1

KeyUsage=0xf0

MachineKeySet=TRUE

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1

OID=1.3.6.1.5.5.7.3.2

4. Replace <FQDN> in the text with the fully-qualified domain name of the gateway server
5. Save the file as RequestConfig.inf
6. Close Notepad

Create a Certificate Request File

1. Open a command prompt as an administrator
2. Navigate to the RequestConfig.inf file created in the previous steps
3. Run the following command to generate the request file: CertReq -New -f RequestConfig.inf CertRequest.req
4. Submit the .req file to the certificate administrator to generate the new certificate

Import the Certificate to the Certificate Store

1. Open a management console (mmc.exe) on the gateway server
2. Click the File menu
3. Click Add/Remove Snap-in…
4. Select Certificates from the column on the left
5. Click Add>
6. Select Computer account
7. Click Next>
8. Select Local computer
9. Click Finish
10. Click OK
11. Expand Certificates in the tree in the column on the left
12. Expand the Personal folder
13. Select the Certificates sub-folder under the Personal folder
14. Right-click the Certificates sub-folder
15. Point to All Tasks
16. Click Import…
17. Click Next>
18. Click Browse…
19. Navigate to the .cer file provided by the certificate administrator
20. Click Open
21. Click Next
22. Verify that the certificate will be placed in the Personal certificate store
23. Click Next
24. Click Finish

Import the Certificate into SCOM

1. Open a Command Prompt as an adminstrator
2. Navigate to a folder containing the SCOM Certificate Import tool (MOMCertImport.exe) NOTE: This tool can be found on the SCOM installation media if it has not been copied to the server.
3. Run the following command: MOMCertImport.exe /SubjectName <certificate subject name>
4. Close the Command Prompt Window

Before importing the certificate into SCOM, you may want to export and delete the old certificate from the gateway’s certificate store. The subject name on the old expired/expiring certificate will probably be the same as the new one. I think that I had to do that as the import tool was importing the old certificate instead of the new one.

You also may need to restart the HealthService service on the gateway after importing the new certificate. I don’t remember if I did that or not but I think I did.

I hope that helps.

-Steve

2 Likes

Is the MOMCertImport.exe tool used to update the certificate on the Management Servers, or is it only used for the Gateway Servers?
Are there any steps required to renew certificates on Management Servers?

Hi Jock,

MOMCertImport.exe is used to update certificates on both gateways and management servers. Certificate requirements may vary a bit between environments due to organizational requirements (e.g. the certificate admins at my organization require the email field to be filled). In my case, the certificates I used on my management servers were the same as those used on my gateways except that the subject FQDN was that of the management server rather than the gateway.

-Steve

1 Like

Apologies for resurrecting this topic but we have an issue where the certificates in the Management Server are issued from a different Sub-CA to the domain where the Gateway Server exists. I don’t think it’s possible to get this working if the certificates are issued from different Sub Ca’s.

Any thoughts gratefully received.

Hi Nick,

The SCOM servers need to be able to see that the certificates are valid. If the certificates in the chain for your management and gateway server certificates are added to the trusted root and intermediate stores on your management and gateway servers, I think you will be ok.

The gateways in my DMZ are on different domains from the management servers. The certificates were issued by the root CA (not a sub-CA) for the domain of the management servers. I just added the root CA certificate to the trusted roots store on my gateways and everything works fine.

-Steve