Menu Close

Rare gateway / certificate issue – Event 20077 – the certificate cannot be queried for property information

I was installing a gateway in a locked down DMZ environment today, and ran across an issue getting my certificates to work.

My DMZ based gateway has NO access to browse the Enterprise CA’s website, so I had to request and issue my certificates, and export them all manually.  When trying to use the certificate for the GW – I was getting this event during Health Service startup in the OpsMgr log:

Event Type:    Error 
Event Source:    OpsMgr Connector 
Event Category:    None 
Event ID:    20077 
Date:        2/5/2011 
Time:        1:48:35 PM 
User:        N/A 
Computer:    DMZGW1 
Description: 
The certificate specified in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings cannot be used for authentication, because the certificate cannot be queried for property information.  The specific error is 0x80092004(%3). 
This typically means that no private key was included with the certificate.  Please double-check to ensure the certificate contains a private key.

I was using the following documentation:

How to Obtain a Certificate Using Windows Server 2008 Enterprise CA in Operations Manager 2007

 

The only difference was – I could not submit the request and directly import it using the machine in the DMZ.  Instead I was using my desktop to submit the request to the CA, and then download a copy of it.  This downloaded copy was a .CER file.

It imported just fine in the computer personal store – but would not work – giving the error event above.

 

After a little digging, I found an internal article with the following resolution:

  • Open certmgr for “Computer account” in MMC as a snap-in.
  • Double click on the certificate in question.
  • Go to “Details” tab.
  • Scroll down till you find the “Thumbprint” section.
  • Copy the information and paste in a text editor like notepad which typically looks like below:
  • fb 5a d6 35 50 84 fd 6c ec ca b8 47 2a 36 94 d6 63 15 d3 be
  • certutil.exe -repairstore My “thumbprint”
  • In the above example the command would look like this:
  • certutil.exe -repairstore My “fb 5a d6 35 50 84 fd 6c ec ca b8 47 2a 36 94 d6 63 15 d3 be”
  • Once this is done, On opening the certificate, we should see the text as “you have a private key that corresponds to this certificate.”

 

After doing this – sure enough – I verified that the certificate in my computer personal store now has the correct “You have a private key that corresponds to this certificate”

image

 

Now – I had to re-import my trusted root certificate chain, and bounce the Health Service on the Gateway, and it all worked perfectly.

 

I don’t expect this to be a common issue, but figured it worthy of writing up in case others run into this situation.

2 Comments

  1. Adam Hulek

    Thanks Kevin. Another helpful post 🙂
    In my case (Windows Server 2016) thumbprint had to be with no spaces :
    certutil.exe -repairstore My “fb5ad6355084fd6ceccab8472a3694d66315d3be”

Leave a Reply

Your email address will not be published.