Scenario
- You have a computer that is monitored using System Center Operations Manager (SCOM).
- This computer is located outside of your normal AD structure, and as such is relying on certificate authentication. It could be located in:
- The cloud
- In a DMZ
- In a disjointed domain
- All of the above.
- In a super secret location with way too many firewalls
- The certificate or part of the certificate chain has expired and needs replacing
- You are unable to run the MOMCertimport.exe tool that registers the certificate with the SCOM agent.
Solution
Note: I will assume that you have already created and installed a valid certificate on the computer in the correct way. In short:
- Into the local computer certificate store
- Including all root and intermediate certificates needed
- And the private key for the certificate
Now, to make use of said certificate we would normally run MOMCertimport.exe. It is a tool located on the SCOM installation media that is written for the express purpose of informing the SCOM Agent as to which certificate it is supposed to use for communicating with the rest of the SCOM infrastructure, usually a gateway server. But maybe you do not have access to it? Or maybe, just maybe the computer in question is considered so secure that getting approval for using a tool like that will take weeks or even months?
Regedit to the rescue!
You will need the following information:
- The certificate thumbprint
- The certificate serial number
Action plan
If any details of this plan are unclear or confusing to you, seek assistance before you start.
- Open regedit
- Navigate to HKLM\Software\Microsoft\Microsoft OperationsManager\3.0\Machine Settings
- Look for the ChannelCertificateSerialNumber value. If it does not exist, create it as a binary value.
- Input the binary value in reverse. That is, if your serial number is AF 3C 56, input 56 3C AF. The pairs of numbers each represent a byte in hexadecimal format. Do not reverse the hex numbers, only the byte order as shown above.
- Double check the numbers
- Look for the ChannelCertificateHash value. If it does not exist, create it as a string value.
- Input the certificate thumbprint into this field. This time, do not reverse the bytes. Also, remove any spaces. That is, input 99 df a3 as 99dfa3. Use lower case letters for the a b c d e f numbers. The thumbprint will usually be listed with lower case, whereas the binary value above will be listed with upper case.
- Again, double check the numbers
- Restart the Microsoft Monitoring Agent service
- Look for event id 20053 in the Operations Manager event log, confirming that the certificate was valid. An invalid certificate will result in event id 20066.