mandag 19. august 2013

System Center: Deployment and Certificates

When you deploy System Center components, you must decide if you want to use SSL for some of its functions (some functions even requires it). You must remember to install the certificate before you install the System Center component so you can select it in the wizard.

For a production environment, you should use a certificate from a trusted certification authority or from your own Active Directory Certificate Services infrastructure.

For a LAB or pre-production system, you can use a self-signed certificate. The Service Provider Foundation 2012 R2 installation wizard gives you the opportunity to generate this on the fly, which is very nice. However, not so in 2012 SP1. To create it manually you can use makecert.exe (part of Visual Studio and Windows SDK).

To use it, download and install Windows SDK. Then open Command Prompt with Run as Administrator

To create a certificate (replace text in red with your own path/name):

cd "C:\Program Files (x86)\Windows Kits\8.0\bin\x64"
makecert -pe -n "CN=TestRootCA" -ss personal -sr LocalMachine -sky signature -r "TestRootCA.cer"
makecert -pe -n "CN=<FQDN>" -ss my -sr LocalMachine -sky exchange -eku, -in "TestRootCA" -is personal -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 <FQDN>.cer

The first command changes the directory to the location of makecert.exe. It could be located elsewhere on your system.

The second command creates a self-signed root authority certificate and install it in the root store of the local machine. It also saves it as a file locally.

The third command creates a certificate signed by the TestRootCA certificate authority and install it in the personal store for the local machine an as a file locally. You can use it for both Client and Server authentication.

To export the certificate from one machine and install it on another start mmc and select: File > Add/Remove Snap in… > Certificates > Add > Computer Account > Next > Finish

Find the certificate in the Personal store and export it with the private key.

After the export, copy the certificate files (<FQDN>.pfx) and the TestTootCA.cer to the other Computer.
Then, on the other Computer, open Command Prompt with Run as Administrator and execute:
certutil -addstore -f Root "MyTestRootCA.cer"

Then open the certificate store on the other computer (mmc) and import the .pfx certificate in the Personal store.

The last step is to disable the certificate revocation check with a registry change:
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f