Active Directory Federation Services – Certificate Error ‘CNG Key’

KB ID 0001129


When installing the Active Directory Federation Services Role, you need to supply a certificate. I was running this up using a self signed wildcard certificate when this happened;

ADFS Certificate Error CNG

The certificate with the specified thumbprint {thumbprint} has a Cryptographic Next Generation (CNG) private key. The certificates with the CNG private key are not supported. Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider.


I was generating a wildcard certificate using this method. By default it uses the CNG Key, you need to specify ¬†Legacy Key instead, (I’ve updated the post mentioned above to point out where that’s done).

ADFS Legacy WildCard Cert

Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *