Friday, June 6, 2014

The certificates with the CNG private key are not supported. Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider.

ADFS and AD configuration is very easy these days with Azure Virtual Machine. I configured AD on Azure VM with Windows Server 2012 R2 and now was the turn to configure ADFS 3.0.
For this I was requiring a certificate. As this was development scenario I decided to choose self-signed certificate. Therefore I opened IIS and from Server Certificate option I created a self signed certificate and provided in configuration of ADFS.
The other way of generating self signed certificate is to use below command using Visual Studio Developer Tools in admin mode and following command to create certificate.-
makecert -sky exchange -r -n "CN=CertificateName" -pe -a sha1 -len 2048 -ss My "CertificateName.cer"

When I selected this certificate on ADFS Federation Configuration Wizard then I received an error as - The certificates with the CNG private key are not supported. Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider.
This problem is encountered because IIS or makecert command creates newer kind of certificate which is not compatible with ADFS. Therefore we need to provide Microsoft Strong Cryptographic Provider so as to generate compatible certificate. The way to generate compatible certificate is powershell command. First download the PowerShell command used for generation of certificate from the link -

Then I copied this .ps1 file to c:\kunal folder. Now open powershell window as admin mode and fire below commands in Powershell to generate the certificate .pfx file which would be compatible.

PS C:\kunal> . \New-SelfSignedCertificateEx

PS C:\kunal> New-SelfSignedCertificateEx -Subject "" -EKU "Server Authentication" -KeyUsage 0xa0 -StoreLocation "LocalMachine" -ProviderName "Microsoft Strong Cryptographic Provider" -Exportable

The generated certificate can be exported from Certificate store of local machine as described in the below link -

Use this certificate in ADFS configuration and you should be good go ahead.
In case above way of adding the script in Powershell .\New-SelfSignedCertificateEx do not work, you can simply import using Import-Module. Run below command - 
PS C:\kunal> Import-Module  .\New-SelfSignedCertificateEx
After this run above main command to create the certificate.

Hope this helps.


  1. Hi, great article :)

    However, I also have problems regarding the certificate: There is already a certificate in the local machine store with the cloudservice name, and the key is not exportable.

    When I execute the script mentioned in your article, nothing happens... The "old" certificate is still there with a non-exportable private key.

    (This is on all Azure VMs. They do all have a certificate with Server Authentication in the local machine store).

    Any ideas?

  2. Hi,

    I have the same problem, and that how I solved it:
    1) First of all, it's seems that you could perform import function not from every folder. Firstly I did it from D drive (I use Azure VM as well) and it has no effect. Then I move the script to the C:\Users\MyUserName folder .
    2) To import function, run . .\New-SelfSignedCertificateEx.ps1 instead of . .\New-SelfSignedCertificateEx . It mentions in in comments ( comment from Vadims Podans, August 07, 2015 )

    After those steps all work correctly.
    btw, great post!

    Thank you!

  3. You can't skip the step of running
    . .\New-SelfSignedCertificateEx

  4. I'd advise reviewing the providers before creating the certificate.