Event ID 20069 and 21021 - Certificate could not be loaded
I'm trying to monitor server in DMZ zone part of trusted domain. I pulled the Certificate from Standalone CA and imported as per
http://technet.microsoft.com/en-us/library/bb735417.aspx. After the import, I'm getting the Event ID 20069 and 21021. I have no issued with other DMZ servers. This is a new servers on Windows 2008 R2 and my CA is windows 2003. (Note: I had few Windows
2008 R2 in DMZ, without any issues)
Please help me in resolving this.
*******************************
Log Name: Operations Manager
Source: OpsMgr Connector
Date: 11/16/2011 4:03:58 PM
Event ID: 20069
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: ABC.xyz.com
Description:
The specified certificate could not be loaded because the KeySpec must be AT_KEYEXCHANGE
*****************
Log Name: Operations Manager
Source: OpsMgr Connector
Date: 11/16/2011 4:03:58 PM
Event ID: 21021
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: ABC.xyz.com
Description:
No certificate could be loaded or created. This Health Service will not be able to communicate with other health services. Look for previous events in the event log for more detail.
Thanks & Regards, Manickam A
November 16th, 2011 6:57pm
The event is pretty self-explanatory - the KeySpec parameter of the certificate is not correct. Request and install a new certificate with the proper KeySpec.
This can help inspect the various properties the SCOM checks in a cert:
http://blogs.technet.com/b/momteam/archive/2009/01/23/troubleshooting-ops-mgr-certificate-issues-with-powershell.aspx
Thanks,
-Lincoln
Free Windows Admin Tool Kit Click here and download it now
November 16th, 2011 7:24pm
I checked everythign and still I'm gettign the same issue on the new DMZ servers. I'm not sue, what the issue is. I request a certificate for a remote machine which is in DMZ from my desktop. Then after approving the in CA, I installed the certificate on
my desktop's personal store. Then I export the Certificate form my Local store on my Laptop to the DMZ server and imported to the DMZ servers System Store. Let me know If I miss any thing.
Note: Ther is no port opened between DMZ server and CA server.
Examining cert - Serial number 20BB890B0000000000DF
---------------------------------------------------
Cert subjectname
Private key
This certificate's private key is not issued to a machine account.
One possible cause of this is that the certificate
was issued to a user account rather than the machine,
then copy/pasted from the Current User store to the Local
Machine store. A full export/import is required to switch
between these stores.
Expiration
Enhanced Key Usage Extension
Key Usage Extensions
KeySpec
Keyspec not found. A KeySpec of 1 is required
Serial number written to registry
The serial number written to the registry does not match this certificate
Expected registry entry: DF00000000000B89BB20
Actual registry entry: DD00000000003B705A20
Certification chain
There is a valid certification chain installed for this cert,
but the remote machines' certificates could potentially be issued from
different CAs. Make sure the proper CA certificates are installed
for these CAs.Thanks & Regards, Manickam A
November 16th, 2011 8:01pm
That output is not for the certificate that SCOM is loading. Note the "Serial number written to registry" section. Is that the wrong certificate, or do you need to run MomCertImport again to write an updated serial number to the registry?
Thanks,
-Lincoln
Free Windows Admin Tool Kit Click here and download it now
November 16th, 2011 8:15pm
Yes, I export and import multiple times and missed to run the MomCertImport. find the update result as below...
Examining cert - Serial number 20BB890B0000000000DF
---------------------------------------------------
Cert subjectname
Private key
This certificate's private key is not issued to a machine account.
One possible cause of this is that the certificate
was issued to a user account rather than the machine,
then copy/pasted from the Current User store to the Local
Machine store. A full export/import is required to switch
between these stores.
Expiration
Enhanced Key Usage Extension
Key Usage Extensions
KeySpec
Keyspec not found. A KeySpec of 1 is required
Serial number written to registry
Certification chain
There is a valid certification chain installed for this cert,
but the remote machines' certificates could potentially be issued from
different CAs. Make sure the proper CA certificates are installed
for these CAs.Thanks & Regards, Manickam A
November 16th, 2011 8:29pm
Your main issue is that the private key has not been imported. Did you ever drag/drop or copy/paste between a "user" store and a "machine" store? This doesn't work. Any time the certificate is moved, it needs to be fully exported with private
key to a PFX, then re-imported.
You also don't have a KeySpec (just like the eventlog says). It's possible this is a side-effect of not having a proper private key, though. How are you requesting the certificate? From a web UI, command line, other? If you are using
an INF, make sure you have a line in the [NewRequest] section with "KeySpec=1"
See
http://blogs.technet.com/b/momteam/archive/2008/06/02/obtaining-certificates-for-ops-mgr.aspx for some more ideas.
Thanks,
-Lincoln
Free Windows Admin Tool Kit Click here and download it now
November 16th, 2011 8:48pm