Active Directory Federation Services – Certificate Error ‘CNG Key’

KB ID 0001129

Problem

When installing the Active Directory Federation Services Role, you need to supply a certificate. I was running this up using a self signed wildcard certificate when this happened;

The certificate with the specified thumbprint {thumbprint} has a Cryptographic Next Generation (CNG) private key. The certificates with the CNG private key are not supported. Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider.

Solution

I was generating a wildcard certificate using this method. By default it uses the CNG Key, you need to specify  Legacy Key instead, (I’ve updated the post mentioned above to point out where that’s done).

Related Articles, References, Credits, or External Links

NA

Certificate Services – Create a ‘Wildcard Certificate’

KB ID 0001128

Problem

Now you may be thinking, “If you have your own CA/PKI solution why would you need to create a Wildcard Certificate”? If you can generate as many certificates as you want whats the point? Well today I need to setup ADFS, WAG (Web Application Gateway), and Remote Desktop Services Gateway Server. To make the whole thing wok on my test bench would be a lot less hassle if I could just use one certificate for everything!

Solution

Process carried out on Windows Server 2012 R2

Windows Key +R > MMC > {Enter} > File > Add/Remove Snap-in.

Certificates > Add.

Computer account > Next.

Local Computer > Finish.

OK.

Certificates > Personal > Right Click > All Tasks > Advanced Operations > Create Custom Request.

Proceed without enrolment policy > Next.

In nearly every case you can accept the default of ‘(No template) CNG Key’ However some applications (Particularly Active Directory Federation Services), need to user an older set of Cryptographic Service Providers (CSP’s). If that is the case change the option to ‘(No Template) Legacy Key’. > Next.

Details > Properties.

General Tab: Friendly Name > *.{your domain}.

Subject Tab: Ensure the Common Name (CN) is set to *.{your domain} > Enter the rest of your details as shown.

Extensions Tab: Add in Digital Signature and Key Encipherment.

Private Key: Key Size=4098 > Make private key exportable > Apply > OK.

Save the certificate request > Finish >Leave the Certificate console open, (you will need it later).

Locate the certificate request you just saved > Open it with Notepad > Select ALL the text and copy it to the clipboard.

Open the web enrolment portal of your certificate services server (https://server.domain.com/certsrv) > Request a certificate.

Advanced Certificate Request.

Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Paste in the Text > Certificate Template = Web Server > Submit.

Base 64 encoded > Download certificate.

Save the certificate, and change its name from certnew > Save.

Back in the certificate console > Right Click ‘Persona’l > All Tasks > Import.

Next.

Navigate to the certificate you have just saved.

Next.

Finish.

Hopefully.

Now this may seem a little odd, but having just imported the certificate, to get it in PFX format you need to export it again. Right click the cert > All Tasks > Export.

Next

Yes, export the private key > Next.

Personal Information Exchange > Next.

Enter and re-type a password (You will need this to import the certificate so remember it) > Next.

Save it somewhere you can find it > Next.

Finish > OK.

Related Articles, References, Credits, or External Links

NA