Provisioning Certificate Private Keys, Intel SCS and Cryptography Next Generation (CNG)

I was investigating some strange certificate issues a while back when I ran across one that I had not seen before. I was attempting to configure a Lenovo T410 using the latest version of the SCS (8.1). I purchased a certificate from GoDaddy for my domain and everything appeared to be set up correctly. Here are a few screenshots of my setup:

I had DHCP set up correctly with option 15 matching my certificate CNAME DNS Suffix:


I had the SCS Service running under my amtadministrator account:


I was logged on my SCS server as amtadministrator:


I had my provisioning certificate installed in my “Current User” certificate store and I had the Private Key:


The certificate chained up to the correct GoDaddy CA with the correct thumbprint:



Everything looked great, until I tried to configure a client:


Hrmm, failed to get private key? But my certificate clearly shows that I have the key! Digging a bit more into what may be causing this issue I found reference to CNG which is Cryptography API: Next Generation, which you can read about it here.

Now when I originally created the CSR for the provisioning certificate, I used the Cert Snap-In in MMC. The first step in that process was to select a template to use:


Sure enough, it defaults to CNG Key. Doing a bit more research, I find out that CNG Key based provisioning certificates are not supported in our Setup and Configuration (SCS) software.

So to fix this, I just ended up creating a new CSR and selecting Legacy Key as my template. Then I went to my GoDaddy account and chose to “Re-Key” my certificate. After that I could once again provision my systems with SCS!

So if you are seeing a similar issue to the one above, there is an easy way to find out if the cert template you selected was a CNG template:

On the server where you have the cert installed, just open the certificate, then use the details tab to copy it out to a file. Once you have the file run this command against it:

     CERTUTIL filename.pfx


If you see “Microsoft Software Key Storage Provider” it is a CNG cert, and you may have issues with SCS.

What you want to see is a cert that uses the Legacy Key template:


Now we are set up and ready to configure!