SCOM - Renew Certificates

There are quite a few blog posts out there that explain in detail on how to generate and install certificates on SCOM and the SCOM Agents, but rarely on the topic of renewing the SCOM and SCOM Agents certificates.

The below procedure helped me to renew my environments certificates.
Thanks to Roel Knippen for sharing the process.


I received the following alert in System Center Operations Manager 2012 R2 on our Management Server and Gateway server.

To renew the certificate on the SCOM Management Server or Gateway server, follow the following steps:

1. Request a certificate from your certificate authority using the Operations Manager Template and install it on the SCOM Management Sever.
2. Check in the MMC console that the newly installed certificate has "Server Authentication" and "Client Authentication" by double clicking the certificate > Details > Enhanced Key Usage.
3. Export the generated certificate from the Certificates console and select "Yes, export the private key" on the first page of the wizard.
4. Save the certificate as .PFX file, and specify a password for it.
5. Remove the old imported certificates from System Center Operations Manager with the command "MOMCertImport.exe /Remove".
6. Install the new certiicate with the following command line: "MOMCertImport.exe C:\cert.pfx /Password P@ssw0rd".
7. Check if the registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\MachineSettings\ChannelCertificateSerialNumber" of Serial Number matches that you see in the Properties page of the certificate (the string is in a reverse order).
8. Restart the System Center Operation Manager health services on the Management Server and/or Gateway Servers to see if the update is succeeded.

Hope that this post was helpful.