ADFS: The certificate with the specified thumbprint XXXX has a Cryptography Next Generation (CNG) private key. 

Issue

The SSL certificate used for Service Communications needed to be replaced as it was about to expire.

A CSR had been generated, signed and issued by a Public Certificate Authority, and was installed on the ADFS server.

When trying to change (set) the Service Communications Certificate I was faced with the following error:

The certificate with the specified thumbprint XXXX has a Cryptography Next Generation (CNG) private key.  The certificates with the CNG private key are not supported.  Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider.

ADFSCertIssue1

The CSR was generated using the Certificates MMC (custom request), with Template: CNG key.

ADFSCertIssue4

It should have been generated using Template: Legacy Key.

ADFSCertIssue5

Resolution

Using OpenSSL, convert the original PKCS #12 file containing the private key and certificates to PEM.

openssl.exe pkcs12 -in C:\Temp\newcert.pfx -out C:\Temp\newcert.pem -nodes

Then convert the PEM certificate file and private key to PKCS #12.

openssl.exe pkcs12 -export -in C:\Temp\newcert.pem -out

ADFSCertIssue2

Import the certificate, and then set the Service Communications Certificate.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s