You can use certificates as an alternative to the Kerberos protocol for mutual authentication and encryption between an agent and either a gateway server, management server, or root management server, or between a gateway server and either a management server or root management server.

Operations Manager 2007 includes a utility, MOMCertImport, that configures Operations Manager 2007 to use a certificate. For more information, see How to Import Certificates in Operations Manager 2007.

When you obtain and install certificates for use with Operations Manager 2007, consider the following:

• Certificates used on various components in Operations Manager 2007 (for example, agent, gateway server, management server, or root management server) must be issued by the same certification authority (CA).
  
  
• Each computer requires its own unique certificate.
  
  
• Each computer must also contain the root certification authority certificate in its Trusted Root Certification Authorities store and any intermediate certification authorities in the Intermediate Certification Authorities store.
  
  
• The Subject Name field for the certificate must contain the DNS fully qualified domain name (FQDN) of the host computer.
  
  
• The certificates need to support the following two extended key usage fields, server authentication and client authentication, which are represented by the two OIDs 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2.
  
  

  Note
  When entering OIDs, separate each OID by a comma. For example, enter 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 exactly as shown.

The basic order of operations for installing a certificate is as follows:

1. Obtain the certificate for each Operations Manager role.
   
   
2. Use the MOMCertImport tool specifying the certificate in the certificate store.
   
   

For more information, see the Operations Manager 2007 Security Guide at http://go.microsoft.com/fwlink/?LinkId=64017.

See Also