Share via

CMG Certificate

Eugene Verheem 51 Reputation points
2022-04-18T09:44:33.11+00:00

Hi,

I have run into a issue and need some help please. Our CMG cert is expiring soon and I will need to replace it with another one. I have received the new cert, but as soon as I try to load it to the CMG Service I get the following error: "[ERROR] The service certificate does not have the key exchange capability." also in attached

The only difference between the current active cert and the new cert I'm trying to upload is, the new cert is wildcard both certs are from the same company we get our external certs from.

193881-cmg-cert-error1.png

We are still running a CMG Classic Service and the MECM version we currently on is version 2107

Any help would be greatly appreciated.

Thank you kindly.

Microsoft Security | Intune | Configuration Manager | Other
0 comments

Answer accepted by question author

Simon Ren-MSFT 40,386 Reputation points Microsoft External Staff
2022-04-22T09:18:41.223+00:00

Hi,

Thanks very much for your feedback. We're glad that the question is solved now. It's appreciated that you could click "Accept Answer" to the helpful reply, this will help other users to search for useful information more quickly. Here's a short summary for the problem.

Problem/Symptom:
New CMG certificate can't load with the error "The service certificate does not have the key exchange capability." in MECM version 2107.

Solution/Workaround:
Run below command to set the certificate to key_exchange and exporte it out with the private key:
certutil -importpfx "Cert_Name.pfx" at_keyexchange

Thanks again for your time! Have a nice day!

Best regards,
Simon

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Was this answer helpful?

1 person found this answer helpful.
0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Eugene Verheem 51 Reputation points
    2022-04-22T08:27:49.287+00:00

    Thank you for all the replies, it looks like there is a bug with the current MECM version we are on v2107 MS Support came back and I had to run a command to set the certificate to key_exchange, after running this command and exporting it out with the personal key I did not receive the error when I tried loading it again. Here is the command if some experience the same issue. "certutil -importpfx "Cert_Name.pfx" at_keyexchange"

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments
  2. Simon Ren-MSFT 40,386 Reputation points Microsoft External Staff
    2022-04-19T02:46:49.47+00:00

    Hi,

    Thanks for posting in Microsoft MECM Q&A forum.

    What version of Configuration Managemer you are using? If you use a wildcard certificate, replace the asterisk (*) in the Service name field with the globally unique deployment name prefix for your CMG. You've made sure the deployment name is globally unique in Azure for the cloud service and storage account. Refer to the official document:
    Use a public provider certificate

    Thanks for your time. Have a nice day!

    Best regards,
    Simon

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Was this answer helpful?

    1 person found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.