Hi We have installed the SCOM certificate to one of the workgroup server. After doing cert installation we are getting the below error. Help us to resolve the issue. Event Type: Error Event Source: OpsMgr Connector Event Category: None Event ID: 20049 Date: 5/9/2012 Time: 10:05:27 AM User: N/A Computer: IND101 Description: The specified certificate could not be loaded because the Key Usage specified does not meet OpsMgr requirements. The certificate must have the following usage types: Digital Signature Key Encipherment For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Event Type: Error Event Source: OpsMgr Connector Event Category: None Event ID: 21021 Date: 5/9/2012 Time: 10:05:27 AM User: N/A Computer: IND101 Description: No certificate could be loaded or created. This Health Service will not be able to communicate with other health services. Look for previous events in the event log for more detail. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Event Type: Error Event Source: OpsMgr Connector Event Category: None Event ID: 21007 Date: 5/9/2012 Time: 8:27:01 AM User: N/A Computer: IND101 Description: The OpsMgr Connector cannot create a mutually authenticated connection to MS1.india.com because it is not in a trusted domain. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Event Type: Error Event Source: OpsMgr Connector Event Category: None Event ID: 21016 Date: 5/6/2012 Time: 5:26:19 AM User: N/A Computer: IND101 Description: OpsMgr was unable to set up a communications channel to MS1.india.com and there are no failover hosts. Communication will resume when MS1.india.com is available and communication from this computer is allowed. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Donald D'souza (http://donald-scom.blogspot.com/)

Hi, Check the following 3 guides http://technet.microsoft.com/en-us/library/bb735408.aspx http://blogs.technet.com/b/operationsmgr/archive/2009/09/10/step-by-step-for-using-certificates-to-communicate-between-agents-and-the-opsmgr-2007-server.aspx http://blogs.technet.com/b/momteam/archive/2008/06/02/obtaining-certificates-for-ops-mgr.aspx Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Donald It is a problem with the certificate - "The specified certificate could not be loaded because the Key Usage specified does not meet OpsMgr requirements." - are you using windows 2003 or 2008 certificate services and is it enterprise or stand-alone. The 4 options are discussed here: http://technet.microsoft.com/en-us/library/bb735408.aspx If you are using enterprise then there is a problem with the certificate template that has been created. Cheers Graham Regards Graham New System Center 2012 Blog! - http://www.systemcentersolutions.co.uk View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

Hi Donald It is a problem with the certificate - "The specified certificate could not be loaded because the Key Usage specified does not meet OpsMgr requirements." - are you using windows 2003 or 2008 certificate services and is it enterprise or stand-alone. The 4 options are discussed here: http://technet.microsoft.com/en-us/library/bb735408.aspx If you are using enterprise then there is a problem with the certificate template that has been created. Cheers Graham Regards Graham New System Center 2012 Blog! - http://www.systemcentersolutions.co.uk View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

I asked multiple vendors at MMS 2012 to create a simplified SCOM certficate management engine/interface and we would buy it in droves. All of them said no. Shame since we would pay $1000+ for something. :) Shame too that MS cannot give us something easier. So many opportunities to make the product better were lost in 2012. Between this and a Maintenance Mode management interface/MP that works. I guess we can wait for 2016.

Hi Graham We are using Windows 2003 Stand-alone certificate server. Donald D'souza (http://donald-scom.blogspot.com/)

Hi Donald This is the link: http://technet.microsoft.com/en-us/library/bb735417 Note - step 6 - under To request a certificate from a stand-alone CA - make sure you have set all of these correctly. 6. On the Advanced Certificate Request page, do the following: a. Under Identifying Information, in the Name field, enter a unique name, for example, the fully qualified domain name (FQDN) of the computer you are requesting the certificate for. For the remaining fields, enter the appropriate information. Note Event ID 20052 of type Error is generated if the FQDN entered into the Name field does not match the computer name. b. Under Type of Certificate Needed: Click the list, and then select Other. In the OID field, enter 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 c. Under Key Options, make the following selections: Click Create a new key set In the CSP field, select Microsoft Enhanced Cryptographic Provider v1.0 Under Key Usage, select Both Under Key Size, select 1024 Select Automatic key container name Select Mark keys as exportable Clear Export keys to file (not required for Windows Server 2008 AD CS) Clear Enable strong private key protection Click Store certificate in the local computer certificate store. d. Under Additional Options: Under Request Format, select CMC In the Hash Algorithm list, select SHA-1 Clear Save request to a file In the Friendly Name field, enter the FQDN of the computer that you are requesting the certificate for. e. Click Submit. f. If a Potential Security Violation dialog box is displayed, click Yes. g. When a Certificate Pending page displays, close the browser. Cheers GrahamRegards Graham New System Center 2012 Blog! - http://www.systemcentersolutions.co.uk View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

Hi Graham We are using Windows 2003 Stand-alone certificate server. Donald D'souza (http://donald-scom.blogspot.com/) Hi Donald, Did you review your steps here? How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA Note that the certificate should be obtained and configured for the Management Server / Gateway and any agent that not a part of the Domain.. Regards, Mazen Ahmed

Hi donald Most like is your INF configuration file setting: In the client machine using notepad to create INF configuration file Open Notepad and make a new file named "RequestConfig.inf" Paste the following text into the file: [NewRequest] Subject="CN=<Machine FQDN>" Exportable=TRUE KeyLength=1024 KeySpec=1 KeyUsage=0xf0 MachineKeySet=TRUE [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 OID=1.3.6.1.5.5.7.3.2 mcahine FQDN is your client machine FQDN name roger

Hi Roger Which location I need to create this INF configuration file?Donald D'souza (http://donald-scom.blogspot.com/)

This file would be used if you Obtain a Certificate Using Windows Server 2008 Stand-Alone CA, but in your case it is Windows Server 2003.. However you can take Roger note here: in: How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA Go to "To request a certificate from a stand-alone CA" Step 6 >> D and make sure you are using the FQDNRegards, Mazen Ahmed

This file would be used if you Obtain a Certificate Using Windows Server 2008 Stand-Alone CA, but in your case it is Windows Server 2003.. However you can take Roger note here: in: How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA Go to "To request a certificate from a stand-alone CA" Step 6 >> D and make sure you are using the FQDNRegards, Mazen Ahmed

Hi Donald You don't need to use an inf file unless the agent doesn't have access to the certificate server. Just follow the documentation on the Management Server \ Gateway \ Agent about connecting to the certificate server using Internet Explorer and requesting the certificate. To request a certificate from a stand-alone CA - http://technet.microsoft.com/en-us/library/bb735417 Log on to the computer where you want to install a certificate (for example, the gateway server or management server). Start Internet Explorer, and then connect to the computer hosting Certificate Services (for example, http://<servername>/certsrv). If the agent doesn't have access to the certificate server then let us know. I have done an overview here of using certreq with an inf file. http://systemcentersolutions.wordpress.com/2009/11/21/what-if-agent-cant-access-certificate-server/ Cheers GrahamRegards Graham New System Center 2012 Blog! - http://www.systemcentersolutions.co.uk View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

Hi Donald You don't need to use an inf file unless the agent doesn't have access to the certificate server. Just follow the documentation on the Management Server \ Gateway \ Agent about connecting to the certificate server using Internet Explorer and requesting the certificate. To request a certificate from a stand-alone CA - http://technet.microsoft.com/en-us/library/bb735417 Log on to the computer where you want to install a certificate (for example, the gateway server or management server). Start Internet Explorer, and then connect to the computer hosting Certificate Services (for example, http://<servername>/certsrv). If the agent doesn't have access to the certificate server then let us know. I have done an overview here of using certreq with an inf file. http://systemcentersolutions.wordpress.com/2009/11/21/what-if-agent-cant-access-certificate-server/ Cheers GrahamRegards Graham New System Center 2012 Blog! - http://www.systemcentersolutions.co.uk View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/