Install Root Certificate Authority (Standalone) Windows Server 2016, Create SCOM Certificate Template

On the server where you want to install the Certificate Authority role:

PowerShell (as Administrator):

Get-WindowsFeature | Out-GridView -PassThru | Add-WindowsFeature -Verbose

*Did you know:
You can highlight specific text to execute, then press F8. This will execute only the highlighted text.
You can place the curser anywhere on any line, press F8, and the entire line will be executed.

image

Your results should look similar to below.

clip_image002[5]

Verify that the features appear as below:

Get-WindowsFeature | Where Name -Like *adcs*

clip_image003

You will be prompted to configure the Certificate Services

clip_image004[4]
clip_image005
clip_image006[4]
clip_image007
clip_image008[4]

Open Certification Authority from Server Manager

image
clip_image012
clip_image009
clip_image010
clip_image011

Test the web enrollment site…

clip_image013
clip_image014


Make sure you have an appropriate template for use with SCOM clients

image

Find the Computer template, right click it and select Duplicate Template.
(I borrowed a few of these screenshots and text from BILLY YORK. Saved me a bit of copy/paste.)

clip_image002[7]

In the Properties of New Template on the Compatibility make sure Show Resulting changes is checked, Certification Authority is Windows Server 2003 and Certificate Recipient is Windows XP/Server 2003.

clip_image004[6]

Under the General tab, give the Template a Name and set the Validity period to something appropriate for your use.

clip_image006[6]

On the Request Handling tab, make sure Purpose is set to Signature and encryption and check Allow private keys to be exported.

clip_image008[6]

On the Cryptography tab check Microsoft Enhanced Cryptographic Provider 1.0 and Microsoft RSA SChannel Cryptographic Provider.

clip_image010[4]

On the Authentication tab, give Authenticated Users Enroll.

clip_image012[4]

On the Extensions tab, under Application Policies make sure Client Authentication and Server Authentication are there.

clip_image014[4]

On Key Usage make sure Digital Signature is checked.

clip_image015

On the Subject Name tab, select Supply in the request.

clip_image017

Click Apply and OK to save the template.

Next, right click on the Certificate Template and select New -> Certificate Template to Issue

image

Then select our newly created SCOM Client Cert.

clip_image002[9]

Template now appears in the web enrollment dropdown list.

clip_image003

One Reply on “Install Root Certificate Authority (Standalone) Windows Server 2016, Create SCOM Certificate Template”

Leave a Reply

Your email address will not be published. Required fields are marked *