Rare gateway / certificate issue – Event 20077 – the certificate cannot be queried for property information


I was installing a gateway in a locked down DMZ environment today, and ran across an issue getting my certificates to work.

My DMZ based gateway has NO access to browse the Enterprise CA’s website, so I had to request and issue my certificates, and export them all manually.  When trying to use the certificate for the GW – I was getting this event during Health Service startup in the OpsMgr log:

Event Type:    Error
Event Source:    OpsMgr Connector
Event Category:    None
Event ID:    20077
Date:        2/5/2011
Time:        1:48:35 PM
User:        N/A
Computer:    DMZGW1
Description:
The certificate specified in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings cannot be used for authentication, because the certificate cannot be queried for property information.  The specific error is 0x80092004(%3).
This typically means that no private key was included with the certificate.  Please double-check to ensure the certificate contains a private key.

I was using the following documentation:

How to Obtain a Certificate Using Windows Server 2008 Enterprise CA in Operations Manager 2007

 

The only difference was – I could not submit the request and directly import it using the machine in the DMZ.  Instead I was using my desktop to submit the request to the CA, and then download a copy of it.  This downloaded copy was a .CER file.

It imported just fine in the computer personal store – but would not work – giving the error event above.

 

After a little digging, I found an internal article with the following resolution:

  • Open certmgr for "Computer account" in MMC as a snap-in.
  • Double click on the certificate in question.
  • Go to "Details" tab.
  • Scroll down till you find the "Thumbprint" section.
  • Copy the information and paste in a text editor like notepad which typically looks like below:
  • fb 5a d6 35 50 84 fd 6c ec ca b8 47 2a 36 94 d6 63 15 d3 be
  • certutil.exe -repairstore My "thumbprint"
  • In the above example the command would look like this:
  • certutil.exe -repairstore My "fb 5a d6 35 50 84 fd 6c ec ca b8 47 2a 36 94 d6 63 15 d3 be"
  • Once this is done, On opening the certificate, we should see the text as "you have a private key that corresponds to this certificate."

 

After doing this – sure enough – I verified that the certificate in my computer personal store now has the correct “You have a private key that corresponds to this certificate”

image

 

Now – I had to re-import my trusted root certificate chain, and bounce the Health Service on the Gateway, and it all worked perfectly.

 

I don’t expect this to be a common issue, but figured it worthy of writing up in case others run into this situation.

Comments (10)

  1. Anonymous says:

    You describe a false path, the path is correct – support.microsoft.com/…/889651   🙂

  2. Anonymous says:

    Thank you Kevin. Solved my problem. Took me a couple of hours though to find this thread.

  3. Anonymous says:

    I did run the certreq for the inf on the gateway.  Then I copied that file to my worstation to process, then copied the cert back to the GW.  So I dont think that's it.

  4. Tom_Floor says:

    Thanks, this solved my problem on and old 2003 gateway server 🙂

  5. VaH says:

    i think the thumbprint is not correct because you made request CertReq –New –f RequestConfig.inf CertRequest.req not on GW machine, so it created request with wrong thmbprint

    I had Related problems too

  6. Rob Boulter says:

    Hi Kevin,  Thanks for posting.  You saved my day and probably my IT contract!

  7. Jason Botine says:

    This was a life saver! I was racking my brain trying to get the servers in our DMZ to connect. I was able to get a few to connect but not others.

  8. John2R says:

    I also found this error message when the gateway OS version (prob certreq.exe) to be older than the requesting workstation or CA server. In this case, import to W2008R2 personal cert store and export as .pfx. Import the .pfx into the gateway cert store,
    then MOMCertImport The older versions appear to ignore the private key in .cer files.

  9. SRee says:

    Thanks Kevin, this resolved my problem with cross domain agent.

  10. Stephen Owen says:

    If you’re getting an ‘File not found’ error, be sure that your copy and paste didn’t accidentally add a question mark to the field, like mine did!