• Home
  • |
  • Blog
  • |
  • Step-By-Step Procedure To Create A SCOM Certificate Template
Create a SCOM Certificate Template

System Center Operation Manager or OpsMgr in short SCOM, a tool plays a key role in maintaining the health of the whole Windows infrastructure of an organization. IT teams use this tool to monitor the health & performance, send configurations, apply OS & app patches, and run the scripts on SCOM agents to keep the health of infra. To make use of SCOM services, all the workstations and servers should be connected and reporting to the SCOM servers. SCOM can manage the domain workstations and domain servers using the default Kerberos protocol over the network ports 5723 & 5724. But, how SCOM will manage the workgroup computers and the machines which are in a domain that doesn’t trust Ops Manager? This is why SCOM needs digital certificates to manage untrusted SCOM clients. SCOM can manage the untrusted clients by importing certificates in both Gateway or Management Server and the client machine not joined to the domain. This required creating a specific certificate template in the internal CA server to issue the certificates for SCOM clients, the management server, and gateways. So, we have created the detailed step-by-step procedure to create a SCOM certificate template in this post.

Follow this procedure to create a SCOM certificate template on the internal CA servers.

Time needed: 10 minutes.

How to Create a SCOM Certificate Template?

  1. Open Certificate Authority

    Issue the ‘certsrv’ command on the CLIOpen certificate authority utility

  2. Open certificate management template

    Right click on the ‘Certificate Template’.
    Manage Certificate Template

  3. Create a duplicate template from “Ipsec offline request” template


    Create a duplicate template from “Ipsec offline request” template

  4. General settings on SCOM certificate template

    Fill the Template Name, Validity, and Renewal Period in the general setting tab

    General settings on SCOM certificate template

  5. Compatibility settings on SCOM certificate template

    Choose ‘Windows Server 2003‘ in the Capability Authority dropdown and Windows XP/ Server 2003 in the ‘Certificate recipient‘ dropdown

    Compatibility settings on SCOM certificate template

  6. Request Handling settings on SCOM certificate template

    Set the Purpose to the ‘Signature and Encryption‘ and check the ‘Allow private key to be exported.

    Request Handling settings on SCOM certificate template

  7. Cryptography settings on SCOM certificate template

    Set these three settings in the cryptography settings tab.

    Provider Category: Legacy Cryptography Service Provider
    Algorithm name: Determined by CSP
    Minimum Key Size: 1024 or 2048 as per Organisation security requirement.

    Select the ‘Request must use one of the following providers
    Click on ‘Microsoft RSA SChannel Cryptographic Provider


    Cryptography settings on SCOM certificate template

  8. Key Attestation settings on SCOM certificate template

    The Key Attestation tab should look like the one below

    Key Attestation settings on SCOM certificate template

  9. Server settings on SCOM certificate template

    It should be like this

    Server settings on SCOM certificate template

  10. Application Policies settings on SCOM certificate template

    Edit the ‘Application Policies‘. Add the Server Authentication and Client Authentication Policies to the Application Policy.

    Application Policy in SCOM certificate template

  11. Application policy in Extension settings on SCOM certificate template

    Application policy should look like this

    Extension settings on SCOM certificate template

  12. Basic Constraints in Extension settings on SCOM certificate template

    Take a look at the Basic Constraints in Extension settings

    Basic Constraints in Extension settings on SCOM certificate template

  13. Issuance policy in Extension settings on SCOM certificate template

    See the Issuance policy in Extension settings below

    Issuance policy in Extension settings on SCOM certificate template

  14. Key usage in Extension settings on SCOM certificate template

    Edit ‘Key Usage
    Select ‘Digital Signature‘ under the signature
    Select ‘Allow key exchange only with key encryption
    Select ‘Make this extension critical

    Key usage in Extension settings on SCOM certificate template

  15. Subject Name settings on SCOM certificate template

    Select ‘Supply in the request

    Subject Name settings on SCOM certificate template

  16. Issuance requirements settings on SCOM certificate template

    Your Issuance requirements should be like this

    Issuance requirements settings on SCOM certificate template

  17. Publish the certificate template

    After creating the certificate template publish the template.
    1. Right Click on Certificate Template
    2. Click New
    3. Click Create Template to issue
    Publish SCOM Certificate Template

Upon you create a SCOM certificate template, create certificate syringing request from a SCOM client computer and submit the CSR and get it signed with your internal PKI server. After you get the certificate check the private key is exported along with the certificate as shone here.

Thanks for reading the post. Please share the post with those who are struggling to create a SCOM certificate template on their internal CA server.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.