We are running SCOM 2019 UR2. We have a Gateway Server setup in our DMZ. Currently we are monitoring 2 other servers just fine. I'm trying to add new servers to monitor and keep hitting a road block. Unfortunately the person that set this up before me never documented the process so I'm trying my best to piece things together.
Here are the steps that I'm doing. I'm hoping someone can figure out what I'm doing wrong.
First I generate the request file by Logging into the Management server that is domain joined. Going to MMC > Certificates > Local Computer > Personal.
Going to all tasks > advanced > Create new Request
Proceed without enrollment policy
Use defaults on the next page
Details > Properties
Under General tab I change the friendly name to servername
Under Subject tab I fill out subject name and alternative name (image 1 is what it looks like)
Under Extensions tab I keep everything default
Under Private Key tab I go to the key options section and change the key size to 2048 and make private key exportable
Once done I give the .req file to our security team, they burn the certs using a template that was used for the 2 previous DMZ server setups that work fine. Which means this template should work fine
Security team provides .cer which I import into the management server.
Once imported, I export the file as a PFX (image 2 is the options I select)
I transfer this PFX file along with all ROOT and CA certs, and the MOMCertImport.exe to the new DMZ server that I want to monitor
I install the PFX using MMC, and confirm all ROOT and CA certs are listed in the Trusted Root Certification Authorities
Then I run the MOMCertImport on the pfx file that I generated. (image 3 is out)
After doing all this I get a few errors in the event log. They are listed below.
Event ID 20069 - The specified certificate could not be loaded because the KeySpec must be AT_KEYEXCHANGE
Event ID 21007 - The OpsMgr Connector cannot create a mutually authenticated connection to gatewayservername because it is not in a trusted domain.
Event ID 21016 - OpsMgr was unable to set up a communications channel to gatewayservername and there are no failover hosts. Communication will resume when gatewayservername is available and communication from this computer is allowed.
If you need any other info let me know!