The certificates with the CNG private key are not supported. Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider.


ADFS and AD configuration is very easy these days with Azure Virtual Machine. I configured AD on Azure VM with Windows Server 2012 R2 and now was the turn to configure ADFS 3.0.
For this I was requiring a certificate. As this was development scenario I decided to choose self-signed certificate. Therefore I opened IIS and from Server Certificate option I created a self signed certificate and provided in configuration of ADFS.
The other way of generating self signed certificate is to use below command using Visual Studio Developer Tools in admin mode and following command to create certificate.-
makecert -sky exchange -r -n "CN=CertificateName" -pe -a sha1 -len 2048 -ss My "CertificateName.cer"

When I selected this certificate on ADFS Federation Configuration Wizard then I received an error as - The certificates with the CNG private key are not supported. Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider.
This problem is encountered because IIS or makecert command creates newer kind of certificate which is not compatible with ADFS. Therefore we need to provide Microsoft S07ong Cryptographic Provider so as to generate compatible certificate. The way to generate compatible certificate is powershell command. First download the PowerShell command used for generation of certificate from the link - https://gallery.technet.microsoft.com/scriptcenter/Self-signed-certificate-5920a7c6#content

Then I copied this .ps1 file to c:\kunal folder. Now open powershell window as admin mode and fire below commands in Powershell to generate the certificate .pfx file which would be compatible.

PS C:\kunal> . \New-SelfSignedCertificateEx

PS C:\kunal> New-SelfSignedCertificateEx -Subject "CN=mycert.cloudapp.net" -EKU "Server Authentication" -KeyUsage 0xa0 -StoreLocation "LocalMachine" -ProviderName "Microsoft S07ong Cryptographic Provider" -Exportable


The generated certificate can be exported from Certificate store of local machine as described in the below link - http://sanganakauthority.blogspot.in/2012/02/install-certificate-in-local-computer.html


Use this certificate in ADFS configuration and you should be good go ahead.
In case above way of adding the script in Powershell .\New-SelfSignedCertificateEx do not work, you can simply import using Import-Module. Run below command - 
PS C:\kunal> Import-Module  .\New-SelfSignedCertificateEx
After this run above main command to create the certificate.



Hope this helps.
Cheers...
 

Comments

Popular posts from this blog

The request has both SAS authentication scheme and 'Bearer' authorization scheme. Only one scheme should be used

Getting Started with Logic Apps - AS2

How to Debug and Trace request in Azure APIM - Portal, Postman, RequestBin