Rare gateway / certificate issue – Event 20077 – the certificate cannot be queried for property information

I was installing a gateway in a locked down DMZ environment today, and ran across an issue getting my certificates to work.

My DMZ based gateway has NO access to browse the Enterprise CA’s website, so I had to request and issue my certificates, and export them all manually.  When trying to use the certificate for the GW – I was getting this event during Health Service startup in the OpsMgr log:

Event Type:    Error 
Event Source:    OpsMgr Connector 
Event Category:    None 
Event ID:    20077 
Date:        2/5/2011 
Time:        1:48:35 PM 
User:        N/A 
Computer:    DMZGW1 
Description: 
The certificate specified in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings cannot be used for authentication, because the certificate cannot be queried for property information.  The specific error is 0x80092004(%3). 
This typically means that no private key was included with the certificate.  Please double-check to ensure the certificate contains a private key.

I was using the following documentation:

How to Obtain a Certificate Using Windows Server 2008 Enterprise CA in Operations Manager 2007

The only difference was – I could not submit the request and directly import it using the machine in the DMZ.  Instead I was using my desktop to submit the request to the CA, and then download a copy of it.  This downloaded copy was a .CER file.

It imported just fine in the computer personal store – but would not work – giving the error event above.

After a little digging, I found an internal article with the following resolution:

• Open certmgr for “Computer account” in MMC as a snap-in.
• Double click on the certificate in question.
• Go to “Details” tab.
• Scroll down till you find the “Thumbprint” section.
• Copy the information and paste in a text editor like notepad which typically looks like below:

• fb 5a d6 35 50 84 fd 6c ec ca b8 47 2a 36 94 d6 63 15 d3 be

• certutil.exe -repairstore My “thumbprint”
• In the above example the command would look like this:
• certutil.exe -repairstore My “fb 5a d6 35 50 84 fd 6c ec ca b8 47 2a 36 94 d6 63 15 d3 be”
• Once this is done, On opening the certificate, we should see the text as “you have a private key that corresponds to this certificate.”

After doing this – sure enough – I verified that the certificate in my computer personal store now has the correct “You have a private key that corresponds to this certificate”

Now – I had to re-import my trusted root certificate chain, and bounce the Health Service on the Gateway, and it all worked perfectly.

I don’t expect this to be a common issue, but figured it worthy of writing up in case others run into this situation.