SCVMM: Configure Azure management certificate to allow subscription to be added to VMM
In order to add an Azure subscription in System Center Virtual Machine Manager (VMM), you must first deploy an Azure management certificate. The certificate must contain a private key, and exist in the user’s Personal and Trusted Root Authorities stores on all machines that will be used to manage the Azure subscription from VMM. The certificate must also be imported into the Azure Classic Management Portal without a private key. There are many ways to create a certificate, but the instructions below focus on using the built-in functions of Windows by using PowerShell.
Follow the instructions below to create and deploy an Azure management certificate for use when adding an Azure subscription to VMM:
Log on to a Windows 10 workstation as an administrator.
Note The Provider switch is required, and is only available on Windows 10 and higher.
Open an elevated PowerShell window.
Run the following PowerShell cmdlets to create a private certificate in the current user’s Personal certificate store:
Import-Module PK New-SelfSignedCertificate -DnsName "VMM2Azure" -FriendlyName “VMM2Azure” -CertStoreLocation "Cert:\CurrentUser\My" -Provider "Microsoft Strong Cryptographic Provider"Note The DnsName and FriendlyNames are arbitrary for this process. In these steps, "VMM2Azure" is used to easily identify the certificate.
Run the following PowerShell cmdlets to export the public certificate in both .PFX and .CER formats:
Export-PfxCertificate -Cert (Get-ChildItem Cert:\CurrentUser\My\ -DnsName VMM2Azure) -FilePath $env:TEMP\VMM2Azure.pfx -Password (ConvertTo-SecureString -String "Password" -Force –AsPlainText) Export-Certificate -Cert (Get-ChildItem Cert:\CurrentUser\My\ -DnsName VMM2Azure) -FilePath $env:TEMP\VMM2Azure.cerNote The Password is arbitrary for this process. In these steps, “Password” is used to easily identify the password.
Note The certificate can be deleted from the user’s Personal certificate store on the Windows 10 workstation after it has been exported.
Copy the PFX certificate to the %temp% folder on the Virtual Machine Manager (VMM) server.
Log on to the VMM server with an administrator account that is used to configure VMM.
Run the following PowerShell cmdlets to import it into the current user’s Personal and Trusted Root Certification Authorities certificate stores:
Import-PfxCertificate -FilePath $env:TEMP\VMM2Azure.pfx -CertStoreLocation Cert:\CurrentUser\My -Password (ConvertTo-SecureString -String "Password" -Force –AsPlainText) Import-PfxCertificate -FilePath $env:TEMP\VMM2Azure.pfx -CertStoreLocation Cert:\CurrentUser\Root -Password (ConvertTo-SecureString -String "Password" -Force –AsPlainText)Click Yes when you are prompted to confirm the import process.
Log on to the Azure Classic Management Portal.
Select Settings from the list of items on the left side of the portal, and then select Management Certificates from the list of settings.
Click Upload at the bottom of the Management Certificates screen. In the resulting dialog box, click Browse for file, select VMM2Azure.cer from the %TEMP% folder, and then click the check mark icon to upload the public certificate.
Return to VMM and retry adding the Azure subscription.
References:
- New-SelfSignedCertificate: https://technet.microsoft.com/en-us/library/hh848633.aspx
- Export-PfxCertificate: https://technet.microsoft.com/en-us/library/hh848635.aspx
- Export-Certificate: https://technet.microsoft.com/en-us/library/hh848628.aspx
- Import-PfxCertificate: https://technet.microsoft.com/en-us/library/hh848625.aspx
- Azure Classic Management Portal: https://manage.windowsazure.com
- Up-vote adding ARM integration to the VMM Console: Add Azure Resource Manager Stack based Azure VMs to the subscription view