I'm trying to monitor server in DMZ zone part of trusted domain. I pulled the Certificate from Standalone CA and imported as per http://technet.microsoft.com/en-us/library/bb735417.aspx. After the import, I'm getting the Event ID 20069 and 21021. I have no issued with other DMZ servers. This is a new servers on Windows 2008 R2 and my CA is windows 2003. (Note: I had few Windows 2008 R2 in DMZ, without any issues) Please help me in resolving this. ******************************* Log Name: Operations Manager Source: OpsMgr Connector Date: 11/16/2011 4:03:58 PM Event ID: 20069 Task Category: None Level: Error Keywords: Classic User: N/A Computer: ABC.xyz.com Description: The specified certificate could not be loaded because the KeySpec must be AT_KEYEXCHANGE ***************** Log Name: Operations Manager Source: OpsMgr Connector Date: 11/16/2011 4:03:58 PM Event ID: 21021 Task Category: None Level: Error Keywords: Classic User: N/A Computer: ABC.xyz.com Description: No certificate could be loaded or created. This Health Service will not be able to communicate with other health services. Look for previous events in the event log for more detail. Thanks & Regards, Manickam A

The event is pretty self-explanatory - the KeySpec parameter of the certificate is not correct. Request and install a new certificate with the proper KeySpec. This can help inspect the various properties the SCOM checks in a cert: http://blogs.technet.com/b/momteam/archive/2009/01/23/troubleshooting-ops-mgr-certificate-issues-with-powershell.aspx Thanks, -Lincoln

I checked everythign and still I'm gettign the same issue on the new DMZ servers. I'm not sue, what the issue is. I request a certificate for a remote machine which is in DMZ from my desktop. Then after approving the in CA, I installed the certificate on my desktop's personal store. Then I export the Certificate form my Local store on my Laptop to the DMZ server and imported to the DMZ servers System Store. Let me know If I miss any thing. Note: Ther is no port opened between DMZ server and CA server. Examining cert - Serial number 20BB890B0000000000DF --------------------------------------------------- Cert subjectname Private key This certificate's private key is not issued to a machine account. One possible cause of this is that the certificate was issued to a user account rather than the machine, then copy/pasted from the Current User store to the Local Machine store. A full export/import is required to switch between these stores. Expiration Enhanced Key Usage Extension Key Usage Extensions KeySpec Keyspec not found. A KeySpec of 1 is required Serial number written to registry The serial number written to the registry does not match this certificate Expected registry entry: DF00000000000B89BB20 Actual registry entry: DD00000000003B705A20 Certification chain There is a valid certification chain installed for this cert, but the remote machines' certificates could potentially be issued from different CAs. Make sure the proper CA certificates are installed for these CAs.Thanks & Regards, Manickam A

That output is not for the certificate that SCOM is loading. Note the "Serial number written to registry" section. Is that the wrong certificate, or do you need to run MomCertImport again to write an updated serial number to the registry? Thanks, -Lincoln

Yes, I export and import multiple times and missed to run the MomCertImport. find the update result as below... Examining cert - Serial number 20BB890B0000000000DF --------------------------------------------------- Cert subjectname Private key This certificate's private key is not issued to a machine account. One possible cause of this is that the certificate was issued to a user account rather than the machine, then copy/pasted from the Current User store to the Local Machine store. A full export/import is required to switch between these stores. Expiration Enhanced Key Usage Extension Key Usage Extensions KeySpec Keyspec not found. A KeySpec of 1 is required Serial number written to registry Certification chain There is a valid certification chain installed for this cert, but the remote machines' certificates could potentially be issued from different CAs. Make sure the proper CA certificates are installed for these CAs.Thanks & Regards, Manickam A

Your main issue is that the private key has not been imported. Did you ever drag/drop or copy/paste between a "user" store and a "machine" store? This doesn't work. Any time the certificate is moved, it needs to be fully exported with private key to a PFX, then re-imported. You also don't have a KeySpec (just like the eventlog says). It's possible this is a side-effect of not having a proper private key, though. How are you requesting the certificate? From a web UI, command line, other? If you are using an INF, make sure you have a line in the [NewRequest] section with "KeySpec=1" See http://blogs.technet.com/b/momteam/archive/2008/06/02/obtaining-certificates-for-ops-mgr.aspx for some more ideas. Thanks, -Lincoln