In System Center Essentials 2010, you can use certificates as an alternative to the Kerberos protocol for mutual authentication and encryption between an agent and the Essentials management server.
Essentials includes a utility, MOMCertImport, that configures Essentials 2010 to use a certificate. For more information, see How to Import Certificates.
When you obtain and install certificates for use with Essentials, consider the following:
- Certificates used on various components in
Essentials (for example, agent, remote console, or management
server) must be issued by the same certification authority
(CA).
- Each computer requires its own unique
certificate.
- Each computer must also contain the root
certification authority certificate in its Trusted Root
Certification Authorities store and any intermediate certification
authorities in the Intermediate Certification Authorities
store.
- The Subject Name field for the
certificate must contain the DNS fully qualified domain name (FQDN)
of the host computer.
- The certificates need to support the
following two extended key usage fields, server authentication and
client authentication, which are represented by the two OIDs
1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2.
Note When entering OIDs, separate each OID by a comma. For example, enter 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 exactly as shown.
The basic order of operations for installing a certificate is as follows:
- Obtain the certificate for each Essentials component.
- Use the MOMCertImport tool specifying the certificate in the
certificate store.