Issue
For a complex environment I had to create Certificate Signing Request files (CSR’s) using this method, section Request OpsMgr Certificate. So far so good. The certificates created on those CRS’s worked as expected, except for the SCOM Gateway Server.
Somehow, there was NO private key, and therefore SCOM didn’t load this certificate, throwing Event ID 20077:
And indeed, in the Certificate snap-in there was NO private key attached to this certificate:
(Please mind: the golden key is missing in the certificate icon, depicting the private key.)
And:
(Normally located at the yellow question mark there should be a line of text about the private key.)
Fix
One of the fixes is to create a NEW certificate, based on a new CSR. But before doing that one might try to repair the store first, based on this posting.
Results
So based on that posting I ran the RepairStore command using the thumbprint of the ‘broken’ certificate. The feedback I got was good:
Time to refresh the certificate MMC, and YES it worked:
(Please mind: the golden key is ‘back’ in the certificate icon, depicting the private key.)
And:
(Yes, the line of text about the private key is ‘back’.)
Let’s bounce the Health Service and see whether the certificate is REALLY okay now:
And YES we’re in business. After this the SCOM Gateway Server connected properly to the SCOM MS servers and all was okay again.
Recap
Whenever SCOM can’t load the certificate because the private key is missing, try to fix it first before creating a new certificate. It saves you a lot of time.
A BIG thanks to…
SSL Support Desk for their posting which helped me to solve this issue. Awesome!
No comments:
Post a Comment