I was investigating some strange certificate issues a while back when I ran across one that I had not seen before. I was attempting to configure a Lenovo T410 using the latest version of the SCS (8.1). I purchased a certificate from GoDaddy for my domain and everything appeared to be set up correctly. Here are a few screenshots of my setup:
I had DHCP set up correctly with option 15 matching my certificate CNAME DNS Suffix:
I had the SCS Service running under my amt\administrator account:
I was logged on my SCS server as amt\administrator:
I had my provisioning certificate installed in my “Current User” certificate store and I had the Private Key:
The certificate chained up to the correct GoDaddy CA with the correct thumbprint:
Everything looked great, until I tried to configure a client:
Hrmm, failed to get private key? But my certificate clearly shows that I have the key! Digging a bit more into what may be causing this issue I found reference to CNG which is Cryptography API: Next Generation, which you can read about it here.
Now when I originally created the CSR for the provisioning certificate, I used the Cert Snap-In in MMC. The first step in that process was to select a template to use:
Sure enough, it defaults to CNG Key. Doing a bit more research, I find out that CNG Key based provisioning certificates are not supported in our Setup and Configuration (SCS) software.
So to fix this, I just ended up creating a new CSR and selecting Legacy Key as my template. Then I went to my GoDaddy account and chose to “Re-Key” my certificate. After that I could once again provision my systems with SCS!
So if you are seeing a similar issue to the one above, there is an easy way to find out if the cert template you selected was a CNG template:
On the server where you have the cert installed, just open the certificate, then use the details tab to copy it out to a file. Once you have the file run this command against it:
If you see “Microsoft Software Key Storage Provider” it is a CNG cert, and you may have issues with SCS.
What you want to see is a cert that uses the Legacy Key template:
Now we are set up and ready to configure!