Gateway Servers Cert Issue after renew

Hi all,

I received an alert stating that my gateway/management server certs expired. I created a new cert and imported into the personal cert stores. I then deleted the old cert under operations manager and replaced it using momcertimport with the new personal cert. After which, my gateway server is no longer communicating with my management server? Not sure what to do next. Certs are setup same as prior, no change, other than new certs replacing the old.

Thanks ahead of time,


1 Like

Do you see any error in the operations manager log on the management server and the scom server?

I had an issue where the cert did not contain the cn in the subject alternative name field.

Restart the Microsoft Monitoring Agent on the Gateway Server and check for the following INFORMATIONAL events (they are not errors \ warnings) in the Operations Manager event log:

  • Look for event id 20052 on the agent stating that the “Specified certificate could not be loaded because the subject name on the certificate does not match the local computer name”.
    • It might be that you have a typo in one of the configuration settings.
    • It might be that the registry didn't update correctly with the certificate thumbprint (cross reference this to the certificate although note that it will be "back to front" in the certificate:
  • Look for event id 20053 after running MomCertImport – this indicates the cert was loaded properly.


1 Like

It was a simple resolution. Our documentation for the cert name did not include the Domain name due to the gateway server being in an un-trusted DMZ with no domain. All I missed was adding the domain name on the certificate for the management servers.

This should resolve the issue - a restart of the agent is required in order for it to pick up the new certificate.

Is this still an issue or has it been resolved? The other problem you might have faced is if you have changed your Certificate Services infrastructure. I have come across a few occasions when SCOM was originally deployed with a standalone certificate server but over time the SCOM team had to fall in line with the company standards and use the Domain certificate services. This would mean updating all the certificates.