I manage a growing number of OpsMgr agents on un-trusted networks. This means I have to assign these agents the CA cert and an OpsMgr cert instead of using Kerberos authentication. It’s a painful manual process but once it’s done I don’t have to go back to it for several years to replace the certs.
Someone in MS just came up with a wizard to "simplify" the process. To be honest, reading the page made it sound like things just got more complicated. Feel free to have a look but I think I’ll stick to the CertSrv web page.