For a complex environment I had to create Certificate Signing Request files (CSR’s) using this method, section Request OpsMgr Certificate. So far so good. The certificates created on those CRS’s worked as expected, except for the SCOM Gateway Server.
One of the fixes is to create a NEW certificate, based on a new CSR. But before doing that one might try to repair the store first, based on this posting.
And YES we’re in business. After this the SCOM Gateway Server connected properly to the SCOM MS servers and all was okay again.
Whenever SCOM can’t load the certificate because the private key is missing, try to fix it first before creating a new certificate. It saves you a lot of time.