Create a certificate template for monitoring Non-Domain members

2 minute read

To monitor servers that aren´t in your domain but in a DMZ, a server certificate is required. In order for this to work properly, a Certificate Template needs to be created before you can issue your certificates. The following will guide you through the process of creating the Certificate Template so that you can monitor your non-domain members in the future.

Do i have a Certificate Authority?

Run the following line in CMD and you will see all the CA´s in the domain

  • certutil -config – -ping

Creating the template

  1. Connect to the server that has the CA role
  2. Start the Certification Authority console from in the Administrative Tools menu
  3. In the console go to Certificate Templates folder, right click on it and choose Manage
  4. The Certificate Templates Console will now be launched
  5. In this console you can see all of the existing certificate templates in your environment.
  6. In the middle pane of the Certificate Template console you need to look for the certificate template called Computer
  7. Right click on it and select Duplicate Template
  8. If your CA is installed on a Windows Server 2008 you’ll get this window:

  1. Select Windows Server 2003 Enterprise. If you would select Windows Server 2008 Enterprise you could bump into the issue that you won’t be able to see the template using web-enrollment and won’t be able to use the certificate template for OS’s pre-VISTA. Stick to the default setting in the case and click OK. Note: If the CA is Windows Server 2003 or earlier you won’t get this window.
  2. The Properties window for this new certificate template will open
  3. Give the template a name, e.g. OpsMgr Certificate Template
  4. Under Request handling tab, select the Allow private key to exported
  5. In the Subject Name tab you need to change the setting to Supply in the request.
  6. Go to the Security tab and change settings for Authenticated Users by checking the boxes for Enroll and Autoenroll. This depends on your origanizations security requirements.
  7. Go to the Extensions tab. If you used the Computer certificate template like indicated in the beginning of this blog it should be OK
  8. Make sure that your certificate looks like the picture below with the Application Policies and click OK.

Publish the Certificate Template

  1. Open the certificate template to settings again before publishing the template
  2. Before you can use the certificate in web-enrollment you need to publish it
  3. Close the Certificate Templates Console and go back to the Certification Authority console
  4. Right click on the Certificate Templates, click New and Certificate Template to Issue
  5. A new window will open where you can select the certificate template that you have just created, click OK to confirm and that’s it.
  6. You now have  a certificate Template that may be used for issuing server certificates.