Deploying SCOM Gateway Servers requires certificates on all servers in the Management Group and all Gateway Servers.

In this lab example, we are using our own internal Certificate Authority (CA).

If you need assistance in setting up a Certificate Authority, see my following guides:

Active Directory Certificate Services – Installation

Active Directory Certificate Services – Configuration

Prepare the Certificate

Open the Microsoft Management Console (MMC), by clicking Start > Run > MMC

When the MMC console opens, click on File > Add/Remove Snap-In

In the Add/Remove Snap-Ins window, select Certificate Templates, and Certification Authority and click Add; then click OK

Expand Certificate Templates

In the Certificate Templates console, right-click IPSec (Offline Request) and select Duplicate Template

On the General tab, enter a name like Operations Manager 2012 R2 Gateway Certificate

On the Request Handling tab, select Allow Private Key To Be Exported

On the Extensions tab, select Applications Policies and click Edit

On the Edit Application Policies Extension dialog, select the IP Security IKE Intermediate policy and click Remove

Next click Add and select the Client Authentication policy, and the Server Authentication policy, then press OK

On the Security tab, verify that Authenticated Users have Read rights, and Enroll rights, then press OK

Now we need to add the newly created template to the Certificate Authority. Start by expanding the Certificate Authority, and right-click on Certificate Templates then choose New > Certificate Template To Issue

On the Enable Certificate Templates dialog, select the template that we created, and click OK