I was installing a gateway in a locked down DMZ environment today, and ran across an issue getting my certificates to work.
My DMZ based gateway has NO access to browse the Enterprise CA’s website, so I had to request and issue my certificates, and export them all manually. When trying to use the certificate for the GW – I was getting this event during Health Service startup in the OpsMgr log:
Event Type: Error
Event Source: OpsMgr Connector
Event Category: None
Event ID: 20077
Time: 1:48:35 PM
The certificate specified in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings cannot be used for authentication, because the certificate cannot be queried for property information. The specific error is 0x80092004(%3).
This typically means that no private key was included with the certificate. Please double-check to ensure the certificate contains a private key.
I was using the following documentation:
How to Obtain a Certificate Using Windows Server 2008 Enterprise CA in Operations Manager 2007
The only difference was – I could not submit the request and directly import it using the machine in the DMZ. Instead I was using my desktop to submit the request to the CA, and then download a copy of it. This downloaded copy was a .CER file.
It imported just fine in the computer personal store – but would not work – giving the error event above.
After a little digging, I found an internal article with the following resolution:
- Open certmgr for "Computer account" in MMC as a snap-in.
- Double click on the certificate in question.
- Go to "Details" tab.
- Scroll down till you find the "Thumbprint" section.
- Copy the information and paste in a text editor like notepad which typically looks like below:
- fb 5a d6 35 50 84 fd 6c ec ca b8 47 2a 36 94 d6 63 15 d3 be
- certutil.exe -repairstore My "thumbprint"
- In the above example the command would look like this:
- certutil.exe -repairstore My "fb 5a d6 35 50 84 fd 6c ec ca b8 47 2a 36 94 d6 63 15 d3 be"
- Once this is done, On opening the certificate, we should see the text as "you have a private key that corresponds to this certificate."
After doing this – sure enough – I verified that the certificate in my computer personal store now has the correct “You have a private key that corresponds to this certificate”
Now – I had to re-import my trusted root certificate chain, and bounce the Health Service on the Gateway, and it all worked perfectly.
I don’t expect this to be a common issue, but figured it worthy of writing up in case others run into this situation.