Merge pull request #10043 from Ibnajjar/patch-1

AB#8043: Fixed Linux commands for certificate extraction and added automation through bash script.

Author: ryanberg-aquent

support/system-center/scom/use-ca-certificate-on-scx-agent.md

@@ -2,7 +2,7 @@
 title: Convert self-signed SCX certificates to CA certificates
 description: Introduces how to convert a self-signed certificate on an SCX agent to a Certificate Authority (CA) signed certificate.
 ms.date: 04/15/2024
-ms.reviewer: alexkre, blakedrumm, edpaca, stparker, udmudiar, v-weizhu
+ms.reviewer: alexkre, blakedrumm, edpaca, stparker, udmudiar, v-weizhu, v-ryanberg
 ms.topic: how-to
 ms.custom: linux-related-content
 ---
@@ -76,65 +76,108 @@ On a CA server in your SCOM environment, follow these steps to create a certific
 
 ## Copy and edit the certificate on the Unix/Linux server
 
+Use one of the following methods to configure the certificate on the the Unix/Linux server:
+
+### Method 1: Configure certificate manually
+
 1. Copy the certificate to the Unix/Linux server for which the certificate was issued.
 1. Export the private key by using the following command:
 
     ```console
-    openssl pkcs12 -in <FileName>.pfx -nocerts -out key.pem
+    openssl pkcs12 -in <FileName>.pfx -nocerts -out /etc/opt/omi/ssl/omikey.pem -nodes -passin pass:"pfxpassword"
     ```
 
-    While exporting the private key from the certificate store, a new password has to be set for the new key file.
-
-    :::image type="content" source="media/use-ca-certificate-on-scom-linux-agent/command-export-private-key.png" alt-text="Screenshot that shows the command to export the private key.":::
-
-    After the export is completed, you should see a *key.pem* file:
-
-    :::image type="content" source="media/use-ca-certificate-on-scom-linux-agent/command-get-key-dot-pem-file.png" alt-text="Screenshot that shows the command to get the private key file.":::
+While exporting the private key from the certificate store, include the `-nodes` paramter (which stands for no Desktop Environments (DEs)). This instructs OpenSSL to output the private key in an unencrypted format. Otherwise a new password has to be set for the new key file. 
 
 1. Export the certificate by using the following command:
 
     ```console
-    openssl pkcs12 -in <FileName>.pfx -clcerts -nokeys -out omi.pem
+    openssl pkcs12 -in <FileName>.pfx -clcerts -nokeys -out /etc/opt/omi/ssl/omi-host-$(hostname).pem -passin pass:"pfxpassword"
     ```
 
-    While exporting the certificate from the certificate store, you have to enter the password for the *\<FileName>.pfx* file.
+1. Delete and create a new symbolic link:
 
-    :::image type="content" source="media/use-ca-certificate-on-scom-linux-agent/command-export-certificate.png" alt-text="Screenshot that shows the command to export the certificate.":::
+    ```console
+    rm -f /etc/opt/omi/ssl/omi.pem
+    ln -s /etc/opt/omi/ssl/omi-host-$(hostname).pem /etc/opt/omi/ssl/omi.pem
+    ```
+   
+1. Set the correct permissions and ownership on the private key, certificate, and symbolic link:
 
-    After the export is completed, you should see an *omi.pem* file:
+    ```console
+    chmod 600 /etc/opt/omi/ssl/omikey.pem
+    chmod 640 /etc/opt/omi/ssl/omi-host-$(hostname).pem /etc/opt/omi/ssl/omi.pem
+    chown omi:omi /etc/opt/omi/ssl/omikey.pem
+    chown root:omi /etc/opt/omi/ssl/omi-host-$(hostname).pem /etc/opt/omi/ssl/omi.pem
+    ```
 
-    :::image type="content" source="media/use-ca-certificate-on-scom-linux-agent/command-get-omi-dot-pem-file.png" alt-text="Screenshot that shows the command to get the certificate file.":::
+1. Restart the SCX agent by running the following command:
 
-1. Remove the password from the private key by using the following command:
+    ```console
+    scxadmin -restart
+    ```
+
+1. Make sure the Open Management Infrastructure (OMI) processes are running after restarting the agent:
 
     ```console
-    openssl rsa -in key.pem -out omikey.pem 
+    ps -ef | grep omi | grep -v grep
     ```
 
-    :::image type="content" source="media/use-ca-certificate-on-scom-linux-agent/command-remove-password-from-private-key.png" alt-text="Screenshot that shows the command to remove password from the private key.":::
+    :::image type="content" source="media/use-ca-certificate-on-scom-linux-agent/command-validate-omi-processes.png" alt-text="Screenshot that shows the command to validate omi processes running." lightbox="media/use-ca-certificate-on-scom-linux-agent/command-validate-omi-processes.png":::
 
-    This action is needed since the Linux agent doesn't know the password for the file.
+### Method 2: Configure certificate with bash script
 
-1. Move the *omikey.pem* file to the Open Management Infrastructure (OMI) directory by using the following command:
+1. Save the following bash script: `extract_scx_cert.sh`
 
     ```console
-    mv omikey.pem /etc/opt/omi/ssl/omikey.pem 
+    #!/bin/bash
+    
+    # Usage: sudo ./extract_scx_cert.sh /path/to/certificate.pfx <pfx_password>
+     
+    PFX_FILE="$1"
+    PFX_PASS="$2"
+    SSL_DIR="/etc/opt/omi/ssl"
+    KEY_FILE="$SSL_DIR/omikey.pem"
+    CERT_FILE="$SSL_DIR/omi-host-$(hostname).pem"
+    SYMLINK_FILE="$SSL_DIR/omi.pem"
+     
+    if [[ -z "$PFX_FILE" || -z "$PFX_PASS" ]]; then
+      echo "Usage: $0 /path/to/certificate.pfx <pfx_password>"
+      exit 1
+    fi
+     
+    echo "Extracting private key..."
+    openssl pkcs12 -in "$PFX_FILE" -nocerts -out "$KEY_FILE" -nodes -passin pass:"$PFX_PASS"
+     
+    echo "Extracting certificate..."
+    openssl pkcs12 -in "$PFX_FILE" -clcerts -nokeys -out "$CERT_FILE" -passin pass:"$PFX_PASS"
+     
+    echo "Creating symbolic link..."
+    rm -f "$SYMLINK_FILE"
+    ln -s "$CERT_FILE" "$SYMLINK_FILE"
+     
+    echo "Setting permissions..."
+    chmod 600 "$KEY_FILE"
+    chmod 640 "$CERT_FILE" "$SYMLINK_FILE"
+    chown root:omi "$CERT_FILE" "$SYMLINK_FILE"
+    chown omi:omi "$KEY_FILE"
+     
+    echo "Restarting omid service..."
+    systemctl restart omid
     ```
 
-1. Restart the SCX agent by using the following command:
+1. Change the script permissions to be run:
 
     ```console
-    scxadmin -restart
+    chmod +x /home/user/extract_scx_cert.sh
     ```
 
-1. Make sure the *omi* processes are running after restarting the agent:
+1. Run the following command to run the script with these two parameters: the path to the PFX file and the password for it.
 
     ```console
-    ps -ef | grep omi | grep -v grep
+    sudo ./extract_scx_cert.sh /path/to/certificate.pfx pfx_password
     ```
 
-    :::image type="content" source="media/use-ca-certificate-on-scom-linux-agent/command-validate-omi-processes.png" alt-text="Screenshot that shows the command to validate omi processes running." lightbox="media/use-ca-certificate-on-scom-linux-agent/command-validate-omi-processes.png":::
-
 ## Validate that the certificate is signed by the CA
 
 1. Run the following command on the agent to verify that the certificate is signed by the CA:
@@ -159,6 +202,8 @@ On a CA server in your SCOM environment, follow these steps to create a certific
     notAfter=Jul 25 12:12:14 2033 GMT
     ```
 
+    > The path `/etc/opt/microsoft/scx/ssl` contains a symbolic link `scx.pem -> /etc/opt/omi/ssl/omi.pem` that's used by the SCX agent in order to use the OMI certificate created earlier.
+
 1. Run a network trace on one of the management servers/gateways in the UNIX/Linux resource pool.
 1. Run the following `WinRM` command against the agent and make sure you get the instance output: