I was investigating some strange certificate issues a while back when I ran across one that I had not seen before. I was attempting to configure a Lenovo T410 using the latest version of the SCS (8.1). I purchased a certificate from GoDaddy for my domain and everything appeared to be set up correctly. Here are a few screenshots of my setup:

I had DHCP set up correctly with option 15 matching my certificate CNAME DNS Suffix:

1.png

I had the SCS Service running under my amt\administrator account:

2.png

I was logged on my SCS server as amt\administrator:

3.png

I had my provisioning certificate installed in my “Current User” certificate store and I had the Private Key:

4.png

The certificate chained up to the correct GoDaddy CA with the correct thumbprint:

5.png

6.png

Everything looked great, until I tried to configure a client:

7.png

Hrmm, failed to get private key? But my certificate clearly shows that I have the key! Digging a bit more into what may be causing this issue I found reference to CNG which is Cryptography API: Next Generation, which you can read about it here.

 

Now when I originally created the CSR for the provisioning certificate, I used the Cert Snap-In in MMC. The first step in that process was to select a template to use:

8.png

Sure enough, it defaults to CNG Key. Doing a bit more research, I find out that CNG Key based provisioning certificates are not supported in our Setup and Configuration (SCS) software.

 

So to fix this, I just ended up creating a new CSR and selecting Legacy Key as my template. Then I went to my GoDaddy account and chose to “Re-Key” my certificate. After that I could once again provision my systems with SCS!

 

So if you are seeing a similar issue to the one above, there is an easy way to find out if the cert template you selected was a CNG template:

On the server where you have the cert installed, just open the certificate, then use the details tab to copy it out to a file. Once you have the file run this command against it:


     CERTUTIL filename.pfx

9.png

If you see “Microsoft Software Key Storage Provider” it is a CNG cert, and you may have issues with SCS.

 

What you want to see is a cert that uses the Legacy Key template:

10.png

Now we are set up and ready to configure!