Obtaining Certificates for Non-Domain Joined Agents
Monitoring Exchange 2007 With System Center Operations Manager 2007 (Part 2) explains how to enable certificate based authentication for monitoring Exchange Edge servers that do not belong to the domain.
If you have already read it, you may find a little bit tricky to issue the required certificate.
The good news is that Adam Kiu, a System Center Operations Manager at Microsoft, developed two neat tools that will do all the hard work for you: CertGenWizard.exe and CertInstaller.exe.
"CertGenWizard.exe is a wizard tool which will take your CA information as input (it isn't required if you are running the wizard on the box with the CA), take in the computer names (has to be FQDNs), and send out a request for the certificates you need. Now, you no longer have to fill out the Certificate Request form or enter parameters or connect to the web enrollment service. Once the certificates are approved, there is a Retrieve button in the CertGenWizard which will allow you to retrieve the certificates that you have requested. On top of the personal certificates, the wizard will retrieve the root CA certificate.
The biggest benefit to this tool is the added ability to request multiple certificates at once. If you have 100 non-domain joined agents that you need to set up cert auth for, you can simply request all 100 machine certificates at once, retrieve them all, and manually bring them over to your other machines.
Once you have brought them to your other machines, CertInstaller.exe is a second tool that will install the certificates into the local machine store of your computer and run MOMCertImport.exe for you. Note: Install OpsMgr Agent FIRST and then run the tool!"
Read his post, Obtaining Certificates for Non-Domain Joined Agents Made Easy With Certificate Generation Wizard, for detailed instructions and to download the tools.