When using PowerShell to create a Workflow Manager farm using Domain CA generated certificates with Cryptography Next Generation (CNG) keys you may receive one or more of the following error messages. The error message will depend on whether you are running Add-WFHost or New-SBFarm.
- System.Security.Cryptography.CryptographicException: Invalid provider type specified. (Add-WFHost)
- Unable to obtain private key file name for certificate with thumbprint:<THUMBPRINT> (Add-WFHost)
- Cannot validate argument on parameter ‘FarmCertificateThumbprint’. Certificate with thumbprint <THUMBPRINT> cannot be used. Certificate should be of type AT_KEYEXCHANGE. (New-SBFarm)
Error Message #1: System.Security.Cryptography.CryptographicException: Invalid provider type specified.
When this error occurs an event with ID 702 is also logged to the Worfklow Manager admin logs in Event Manager (Applications and Services Logs > Microsoft-Workflow > Admin). This event shows the call stack of the error and we can see that it originates during cryptography operations, specifically with trying to get the certificate private key using the X509Certificate2 class.
Error Message #2: Unable to obtain private key file name for certificate with thumbprint: This PowerShell error is a bit clearer that the error is related to certificate private key operations
Error Message #3: Cannot validate argument on parameter ‘FarmCertificateThumbprint’. Certificate with thumbprint <THUMBPRINT> cannot be used. Certificate should be of type AT_KEYEXCHANGE.
The third error message provides even more specific information and actually tells us what kind of certificate we need to use for Service Bus (and Workflow Manger). This requirement is documented on the Workflow Manager System Requirements page under “General Certificate Requirements”
What is KeySPec and AT_KeyExchange?
The KeySpec property specifies or retrieves a value that identifies whether a private key can be used for signing, or encryption, or both (source). AT_KeyExchange is one of the KeySpecs available and indicates that the key can be used for encryption or key exchange. The KeySpec property AT_KeyExchange is only available when using Legacy Cryptographic Service Providers
A certificate template may be configured to use the Legacy Cryptography Service Providers that are available by default, or it may be configured to use the Cryptography API: Next Generation (CNG) Key storage Provider (KSP). The latter CNG option is not supported for Workflow Manager or Service Bus.
If using Domain CA generated certificates for Workflow Manager and Service Bus ensure they align with the certificate requirements documented here:
Migrating a Certification Authority Key from a Cryptographic Service Provider (CSP) to a Key Storage Provider (KSP)
CNG Key Storage Providers
CNG Cryptographic Algorithm Providers
CryptoAPI Cryptographic Service Providers
“Invalid provider type specified” error when accessing X509Certificate2.PrivateKey on CNG certificates
Verifying the Key Specification of a Given Certificate