Hands up - Who has had 'fun' with certificates and monitoring agents in non trusted domains with Operations Manager 2007? I know I have....especially on some of the first deployments which I did.
Good news though as the Operations Manager product team have released a certificate generation wizard (CertGenWizard) which is really good especially when requesting multiple certificates.
CertGenWizard.exe is a wizard tool which will take your CA information as input (it isn't required if you are running the wizard on the box with the CA), take in the computer names (has to be FQDNs), and send out a request for the certificates you need. Now, you no longer have to fill out the Certificate Request form or enter parameters or connect to the web enrollment service. Once the certificates are approved, there is a Retrieve button in the CertGenWizard which will allow you to retrieve the certificates that you have requested. On top of the personal certificates, the wizard will retrieve the root CA certificate.
The biggest benefit to this tool is the added ability to request multiple certificates at once. If you have 100 non-domain joined agents that you need to set up cert auth for, you can simply request all 100 machine certificates at once, retrieve them all, and manually bring them over to your other machines.
Once you have brought them to your other machines, CertInstaller.exe is a second tool that will install the certificates into the local machine store of your computer and run MOMCertImport.exe for you. Note: Install OpsMgr Agent FIRST and then run the tool!
More information can be found at: http://blogs.technet.com/momteam/archive/2008/08/22/obtaining-certificates-for-non-domain-joined-agents-made-easy.aspx