SCOM certificate installtion issue for a workgroup server
Hi
We have installed the SCOM certificate to one of the workgroup server. After doing cert installation we are getting the below error. Help us to resolve the issue.
Event Type: Error
Event Source: OpsMgr Connector
Event Category: None
Event ID: 20049
Date: 5/9/2012
Time: 10:05:27 AM
User: N/A
Computer: IND101
Description:
The specified certificate could not be loaded because the Key Usage specified does not meet OpsMgr requirements. The certificate must have the following usage types:
Digital Signature
Key Encipherment
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Event Type: Error
Event Source: OpsMgr Connector
Event Category: None
Event ID: 21021
Date: 5/9/2012
Time: 10:05:27 AM
User: N/A
Computer: IND101
Description:
No certificate could be loaded or created. This Health Service will not be able to communicate with other health services. Look for previous events in the event log for more detail.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Event Type: Error
Event Source: OpsMgr Connector
Event Category: None
Event ID: 21007
Date: 5/9/2012
Time: 8:27:01 AM
User: N/A
Computer: IND101
Description:
The OpsMgr Connector cannot create a mutually authenticated connection to MS1.india.com because it is not in a trusted domain.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Event Type: Error
Event Source: OpsMgr Connector
Event Category: None
Event ID: 21016
Date: 5/6/2012
Time: 5:26:19 AM
User: N/A
Computer: IND101
Description:
OpsMgr was unable to set up a communications channel to MS1.india.com and there are no failover hosts. Communication will resume when MS1.india.com is available and communication from this computer is allowed.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Donald D'souza (http://donald-scom.blogspot.com/)
May 9th, 2012 3:27pm
Hi,
Check the following 3 guides
http://technet.microsoft.com/en-us/library/bb735408.aspx
http://blogs.technet.com/b/operationsmgr/archive/2009/09/10/step-by-step-for-using-certificates-to-communicate-between-agents-and-the-opsmgr-2007-server.aspx
http://blogs.technet.com/b/momteam/archive/2008/06/02/obtaining-certificates-for-ops-mgr.aspx
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
May 9th, 2012 3:32pm
Hi Donald
It is a problem with the certificate - "The specified certificate could not be loaded because the Key Usage specified does not meet OpsMgr requirements." - are you using windows 2003 or 2008 certificate services and is it enterprise or stand-alone.
The 4 options are discussed here:
http://technet.microsoft.com/en-us/library/bb735408.aspx
If you are using enterprise then there is a problem with the certificate template that has been created.
Cheers
Graham
Regards Graham New System Center 2012 Blog! -
http://www.systemcentersolutions.co.uk
View OpsMgr tips and tricks at
http://systemcentersolutions.wordpress.com/
May 9th, 2012 5:07pm
Hi Donald
It is a problem with the certificate - "The specified certificate could not be loaded because the Key Usage specified does not meet OpsMgr requirements." - are you using windows 2003 or 2008 certificate services and is it enterprise or stand-alone.
The 4 options are discussed here:
http://technet.microsoft.com/en-us/library/bb735408.aspx
If you are using enterprise then there is a problem with the certificate template that has been created.
Cheers
Graham
Regards Graham New System Center 2012 Blog! -
http://www.systemcentersolutions.co.uk
View OpsMgr tips and tricks at
http://systemcentersolutions.wordpress.com/
Free Windows Admin Tool Kit Click here and download it now
May 9th, 2012 5:07pm
I asked multiple vendors at MMS 2012 to create a simplified SCOM certficate management engine/interface and we would buy it in droves.
All of them said no.
Shame since we would pay $1000+ for something.
:)
Shame too that MS cannot give us something easier.
So many opportunities to make the product better were lost in 2012. Between this and a Maintenance Mode management interface/MP that works.
I guess we can wait for 2016.
May 9th, 2012 6:04pm
Hi Graham
We are using Windows 2003 Stand-alone certificate server.
Donald D'souza (http://donald-scom.blogspot.com/)
Free Windows Admin Tool Kit Click here and download it now
May 10th, 2012 10:55am
Hi Donald
This is the link:
http://technet.microsoft.com/en-us/library/bb735417
Note - step 6 - under To request a certificate from a stand-alone CA - make sure you have set all of these correctly.
6.
On the Advanced Certificate Request page, do the following:
a. Under Identifying Information, in the Name field, enter a unique name, for example, the fully qualified domain name (FQDN) of the computer you are requesting the certificate for. For the remaining fields, enter the appropriate information.
Note
Event ID 20052 of type Error is generated if the FQDN entered into the Name field does not match the computer name.
b. Under Type of Certificate Needed:
Click the list, and then select Other.
In the OID field, enter 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
c. Under Key Options, make the following selections:
Click Create a new key set
In the CSP field, select Microsoft Enhanced Cryptographic Provider v1.0
Under Key Usage, select Both
Under Key Size, select 1024
Select Automatic key container name
Select Mark keys as exportable
Clear Export keys to file (not required for Windows Server 2008 AD CS)
Clear Enable strong private key protection
Click Store certificate in the local computer certificate store.
d. Under Additional Options:
Under Request Format, select CMC
In the Hash Algorithm list, select SHA-1
Clear Save request to a file
In the Friendly Name field, enter the FQDN of the computer that you are requesting the certificate for.
e. Click Submit.
f. If a Potential Security Violation dialog box is displayed, click Yes.
g. When a Certificate Pending page displays, close the browser.
Cheers
GrahamRegards Graham New System Center 2012 Blog! -
http://www.systemcentersolutions.co.uk
View OpsMgr tips and tricks at
http://systemcentersolutions.wordpress.com/
May 10th, 2012 11:06am
Hi Graham
We are using Windows 2003 Stand-alone certificate server.
Donald D'souza (http://donald-scom.blogspot.com/)
Hi Donald,
Did you review your steps here?
How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA
Note that the certificate should be obtained and configured for the Management Server / Gateway and any agent that not a part of the Domain..
Regards, Mazen Ahmed
Free Windows Admin Tool Kit Click here and download it now
May 10th, 2012 11:09am
Hi donald
Most like is your INF configuration file setting:
In the client machine using notepad to create INF configuration file
Open Notepad and make a new file named "RequestConfig.inf" Paste the following text into the file:
[NewRequest]
Subject="CN=<Machine FQDN>"
Exportable=TRUE
KeyLength=1024
KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2
mcahine FQDN is your client machine FQDN name
roger
May 10th, 2012 12:08pm
Hi Roger
Which location I need to create this INF configuration file?Donald D'souza (http://donald-scom.blogspot.com/)
Free Windows Admin Tool Kit Click here and download it now
May 10th, 2012 2:21pm
This file would be used if you Obtain a Certificate Using Windows Server 2008 Stand-Alone CA, but in your case it is Windows Server 2003..
However you can take Roger note here:
in:
How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA
Go to "To request a certificate from a stand-alone CA"
Step 6 >> D and make sure you are using the FQDNRegards, Mazen Ahmed
May 10th, 2012 2:31pm
This file would be used if you Obtain a Certificate Using Windows Server 2008 Stand-Alone CA, but in your case it is Windows Server 2003..
However you can take Roger note here:
in:
How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA
Go to "To request a certificate from a stand-alone CA"
Step 6 >> D and make sure you are using the FQDNRegards, Mazen Ahmed
Free Windows Admin Tool Kit Click here and download it now
May 10th, 2012 2:31pm
Hi Donald
You don't need to use an inf file unless the agent doesn't have access to the certificate server. Just follow the documentation on the Management Server \ Gateway \ Agent about connecting to the certificate server using Internet Explorer and requesting the
certificate.
To request a certificate from a stand-alone CA -
http://technet.microsoft.com/en-us/library/bb735417
Log on to the computer where you want to install a certificate (for example, the gateway server or management server).
Start Internet Explorer, and then connect to the computer hosting Certificate Services (for example, http://<servername>/certsrv).
If the agent doesn't have access to the certificate server then let us know. I have done an overview here of using certreq with an inf file.
http://systemcentersolutions.wordpress.com/2009/11/21/what-if-agent-cant-access-certificate-server/
Cheers
GrahamRegards Graham New System Center 2012 Blog! -
http://www.systemcentersolutions.co.uk
View OpsMgr tips and tricks at
http://systemcentersolutions.wordpress.com/
May 11th, 2012 3:10am
Hi Donald
You don't need to use an inf file unless the agent doesn't have access to the certificate server. Just follow the documentation on the Management Server \ Gateway \ Agent about connecting to the certificate server using Internet Explorer and requesting the
certificate.
To request a certificate from a stand-alone CA -
http://technet.microsoft.com/en-us/library/bb735417
Log on to the computer where you want to install a certificate (for example, the gateway server or management server).
Start Internet Explorer, and then connect to the computer hosting Certificate Services (for example, http://<servername>/certsrv).
If the agent doesn't have access to the certificate server then let us know. I have done an overview here of using certreq with an inf file.
http://systemcentersolutions.wordpress.com/2009/11/21/what-if-agent-cant-access-certificate-server/
Cheers
GrahamRegards Graham New System Center 2012 Blog! -
http://www.systemcentersolutions.co.uk
View OpsMgr tips and tricks at
http://systemcentersolutions.wordpress.com/
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2012 3:10am