Import a Cryptographic New Generation (CNG) certificate as a Legacy cert to use with ADFS

The current version of ADFS (Active Directory Federation Services for Windows Server 2012 R2) unfortunately does not support Cryptographic New Generation (CNG) Certificates.
Though if you already have a CNG cert, and does not want to re-request a legacy cert from your provider, it’s possible to import a CNG as a Legacy cert by using this command.

certutil.exe -csp "Microsoft Enhanced RSA and AES Cryptographic Provider" -importpfx c:\temp\cng_cerficiate_file.pfx

1	certutil.exe -csp "Microsoft Enhanced RSA and AES Cryptographic Provider" -importpfx c:\temp\cng_cerficiate_file.pfx

And ADFS will then be able to use that certificate.

A Huge thanks to my colleague and security expert Hasain Alshakarti (Twitter: @Alshakarti Blog: http://secadmins.com/) for providing me with the solution.

3 thoughts on “Import a Cryptographic New Generation (CNG) certificate as a Legacy cert to use with ADFS”

Sorry guys, I dont have a cert to try with right now. It’s possible they have done some change so the above is not working anymore.

Same for me:

CertUtil: -importPFX command FAILED: 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)
CertUtil: The requested operation is not supported.

facing error message

CertUtil: -importPFX command FAILED: 0x80090029 (-2146893783)
CertUtil: The requested operation is not supported.

You must be logged in to post a comment.

3 thoughts on “Import a Cryptographic New Generation (CNG) certificate as a Legacy cert to use with ADFS”

Leave a Reply