Issue
The SSL certificate used for Service Communications needed to be replaced as it was about to expire.
A CSR had been generated, signed and issued by a Public Certificate Authority, and was installed on the ADFS server.
When trying to change (set) the Service Communications Certificate I was faced with the following error:
The certificate with the specified thumbprint XXXX has a Cryptography Next Generation (CNG) private key. The certificates with the CNG private key are not supported. Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider.
The CSR was generated using the Certificates MMC (custom request), with Template: CNG key.
It should have been generated using Template: Legacy Key.
Resolution
Using OpenSSL, convert the original PKCS #12 file containing the private key and certificates to PEM.
openssl.exe pkcs12 -in C:\Temp\newcert.pfx -out C:\Temp\newcert.pem -nodes
Then convert the PEM certificate file and private key to PKCS #12.
openssl.exe pkcs12 -export -in C:\Temp\newcert.pem -out
Import the certificate, and then set the Service Communications Certificate.