In this article, I’ll review SCOM Certificate Event ID 20049. This error event can be seen during an attempt to initiate mutual authentication across untrusted boundaries such as in a gateway or workgroup boundary scenario. In SCOM, certificates will need to be used for mutual authentication between the management servers and any gateway servers/ agents when Kerberos-based mutual authentication is not possible. If there’s an issue with the certificate, mutual authentication will fail, and one of the errors you could likely encounter is as shown below: The event detail reads: “The specified certificate could not be loaded because the key Usage specified does not meet OpsMgr requirements. The certificate must have the following usage types: Digital Signature, Key Encipherment.” This error is usually accompanied by other related events such as 21021, 21007, and perhaps, 21016.
Let me preface this by saying that this isn’t unique to SCOM 2016. I’ve seen similar certificate-related issues in previous iterations of SCOM.
Further review of the certificate in question shows some key fields are missing such as fields for Key Usage, Application policies,AIA and CDP information, etc.
SCOM-related certificate errors come in various forms, and could stem from various issues. In my experience, the error referenced above is usually an indication that the firstly, you’ve obtained the certificate from a Enterprise certification authority, and secondly, that the template from which the certificate is issued is improperly configured.
In a previous article, I explained in some detail, how to create a certificate template from a Enterprise CA. The article I’ve linked to is still a very good reference for how to address this issue, with a few modifications. Use the article in the link with the additional steps below.
In the properties of your certificate template:
- Click the Extensions tab, and in Extensions included in this template, click Application Policies, and then click Edit.
- In the Edit Application Policies Extension dialog box, click IP security IKE intermediate, and then click Remove (if that option is selected)
- Click Add, and in the Application policies list, select Client Authentication and Server Authentication, and then click OK.
- Click the Extensions tab, and in Extensions included in this template, click Key Usage, and then click Edit.
- In the Key Usage dialog box, in the Signature section, check the Digital Signature check box and in the Encryption section, check the radio button to Allow key exchange only with key encryption (key encipherment), and then click Ok.
You can now proceed with the other steps as described in the article linked to above. After configuring template properties for Request handling, Cryptography, Security, etc, you can proceed to added the template to the certificates templates folder to make it available for use in the web enrollment pages, and with certificate requests.