1. When creating the opsmgr certificate template, why it starts from duplicating "IPsec (Offline request)" template? What are the exact requirements for this OpsMgr certificate (template)? (I can't find this documented)

2. When requesting the certificate, the documentation starts with Certreq tool then using CA web-console to submit, then back with CertReq to have the certificate in the computer store. Can we use CertReq tool all the way to get the certificate in place?

3. When using MOMcertimport.exe /subjectname <certificate subjectname>, there are possibly more than one certificate having the same subject name as it is actually the machine's FQDN. In this situation can the momcertimport pick up the right certificate?

Thanks in advance

Hi,

1. You can also start from the Current User certificates store, you can expand the Personal  Certificates folder and find the certificate. There is no document to mention that.

2. No, you cannot use CerReq tool all the way. Submitting the request is necessary.

3. MOMcertimport.exe will try to find applicable certificates for use in Operations Manager on that computer. Applicable here means that the subject name must be correct, a private key must be there, the certificate must be trusted and still be valid, and it must have the right certificate use properties of Server Authentication and Client Authentication.