Deploying SCOM Gateway Servers requires certificates on all servers in the Management Group and all Gateway Servers.

In this lab example, we are using our own internal Certificate Authority (CA).

If you need assistance in setting up a Certificate Authority, see my following guides:

Active Directory Certificate Services – Installation

Active Directory Certificate Services – Configuration

Prepare the Certificate

Open the Microsoft Management Console (MMC), by clicking Start > Run > MMC


When the MMC console opens, click on File > Add/Remove Snap-In

MMC AddRemove SnapIn

In the Add/Remove Snap-Ins window, select Certificate Templates, and Certification Authority and click Add; then click OK

Add Certificate SnapIns

Expand Certificate Templates

Expand Certificate Templates

In the Certificate Templates console, right-click IPSec (Offline Request) and select Duplicate Template

Duplicate Template

On the General tab, enter a name like Operations Manager 2012 R2 Gateway Certificate

Rename Template

On the Request Handling tab, select Allow Private Key To Be Exported

Request Handling

On the Extensions tab, select Applications Policies and click Edit


On the Edit Application Policies Extension dialog, select the IP Security IKE Intermediate policy and click Remove

Edit Application Policies Extension

Next click Add and select the Client Authentication policy, and the Server Authentication policy, then press OK

Add Application Policy

On the Security tab, verify that Authenticated Users have Read rights, and Enroll rights, then press OK

Security Tab

Now we need to add the newly created template to the Certificate Authority. Start by expanding the Certificate Authority, and right-click on Certificate Templates then choose New > Certificate Template To Issue

New Certificate Template To Issue

On the Enable Certificate Templates dialog, select the template that we created, and click OK

Enable Certificate Templates