{"id":6669,"date":"2023-02-19T01:05:54","date_gmt":"2023-02-19T01:05:54","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=6669"},"modified":"2025-07-30T06:08:10","modified_gmt":"2025-07-30T06:08:10","slug":"after-updating-the-ssl-certificate-used-by-microsoft-dynamics-crm","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/after-updating-the-ssl-certificate-used-by-microsoft-dynamics-crm","title":{"rendered":"After updating the SSL certificate used by Microsoft Dynamics CRM"},"content":{"rendered":"\n

READ <\/strong>-> https:\/\/pariswells.com\/blog\/research\/dynamics-365-9-0-on-premise-ifd-configuration-error-invalid-provider-type-specified-how-to-check-the-keyspec-cng-capi-value-for-your-certificates-keys<\/a><\/p>\n\n\n\n

Import the Certificate as a Legacy one NOT the default<\/p>\n\n\n\n

HTTP 500 Error \u2018Keyset does not exist\u2019<\/p>\n\n\n\n

Next we need to grant to the account NETWORK SERVICE the access to the Private key of certificate on CRM Server because it\u2019s the account that has been associated by default to the CRMAppPool in IIS. You can double check it on the Application Pools in IIS.<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

 Error: Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=6.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: System.Security.Cryptography.CryptographicException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #61396B66Detail: -2147220970 System.Security.Cryptography.CryptographicException: Microsoft Dynamics CRM has experienced an error.<\/p>\n\n\n\n

Keyset does not exist Not available Not available https:\/\/crmwebsite.domain.com\/Handlers\/FederationMetadata.ashx<\/a> \/Handlers\/FederationMetadata.ashx<\/p>\n\n\n\n

<\/p>\n\n\n\n

Resolution <\/strong><\/p>\n\n\n\n

How to Fix the \u201cKeyset does not exist\u201d CryptographicException \u2013 Improve & Repeat (improveandrepeat.com)<\/a><\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

Event code: 3005 
Event message: An unhandled exception has occurred. 
Event time: 14\/08\/2023 1:30:07 PM 
Event time (UTC): 14\/08\/2023 3:30:07 AM 
Event ID: 8f2981830a2a4adeb9df5df88a50fb76 
Event sequence: 50 
Event occurrence: 13 
Event detail code: 0 

Application information: 
    Application domain: \/LM\/W3SVC\/1\/ROOT-1-133364560657654137 
    Trust level: Full 
    Application Virtual Path: \/ 
    Application Path: C:\\Program Files\\Microsoft Dynamics CRM\\CRMWeb\\ 
    Machine name: XXXXXXX

Process information: 
    Process ID: 5164 
    Process name: w3wp.exe 
    Account name: NT AUTHORITY\\NETWORK SERVICE 

Exception information: 
    Exception type: CryptographicException 
    Exception message: Invalid provider type specified.<\/p>\n\n\n\n

   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
   at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()
   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)
   at System.IdentityModel.SignedXml.ComputeSignature(SecurityKey signingKey)
   at System.IdentityModel.EnvelopedSignatureWriter.ComputeSignature()
   at System.IdentityModel.EnvelopedSignatureWriter.OnEndRootElement()
   at System.IdentityModel.Metadata.MetadataSerializer.WriteEntityDescriptor(XmlWriter inputWriter, EntityDescriptor entityDescriptor)
   at System.IdentityModel.Metadata.MetadataSerializer.WriteMetadata(Stream stream, MetadataBase metadata)
   at Microsoft.Crm.Authentication.Claims.MetadataGenerator.GenerateCrmFederationMetadata(Stream stream)
   at Microsoft.Crm.Application.Components.Handlers.FederationMetadata.ProcessRequestInternal(HttpContext context)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)<\/p>\n\n\n\n



Request information: 
    Request URL: https:\/\/xxxxxx\/Handlers\/FederationMetadata.ashx
    Request path: \/Handlers\/FederationMetadata.ashx 
    User host address: 192.168.51.9 
    User:  
    Is authenticated: False 
    Authentication Type:  
    Thread account name: NT AUTHORITY\\NETWORK SERVICE 

Thread information: 
    Thread ID: 51 
    Thread account name: NT AUTHORITY\\NETWORK SERVICE 
    Is impersonating: True 
    Stack trace:    at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
   at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.get_PrivateKey()
   at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)
   at System.IdentityModel.SignedXml.ComputeSignature(SecurityKey signingKey)
   at System.IdentityModel.EnvelopedSignatureWriter.ComputeSignature()
   at System.IdentityModel.EnvelopedSignatureWriter.OnEndRootElement()
   at System.IdentityModel.Metadata.MetadataSerializer.WriteEntityDescriptor(XmlWriter inputWriter, EntityDescriptor entityDescriptor)
   at System.IdentityModel.Metadata.MetadataSerializer.WriteMetadata(Stream stream, MetadataBase metadata)
   at Microsoft.Crm.Authentication.Claims.MetadataGenerator.GenerateCrmFederationMetadata(Stream stream)
   at Microsoft.Crm.Application.Components.Handlers.FederationMetadata.ProcessRequestInternal(HttpContext context)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)<\/p>\n\n\n\n

Resolution<\/strong><\/p>\n\n\n\n

Make sure the Certificate installed has the correct private key<\/p>\n\n\n\n

Use certutil to check on the certificate ( certutil -verifystore my {Thumbprint no squirly brackets} ) <\/p>\n\n\n\n

================ Certificate 3 ================
================ Begin Nesting Level 1 ================
Element 3:
Serial Number: XXXXXXXXXXX
Issuer: CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
NotBefore: 28\/07\/2023 10:00 AM
NotAfter: 27\/08\/2024 9:59 AM
Subject: CN=XXXXXXXXX
Non-root Certificate
Cert Hash(sha1): XXXXXXXXXX
—————-  End Nesting Level 1  —————-
  Key Container = PfxContainer
  Provider = PfxProvider
Encryption test FAILED
<\/strong>CertUtil: -dump command completed successfully.<\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

READ -> https:\/\/pariswells.com\/blog\/research\/dynamics-365-9-0-on-premise-ifd-configuration-error-invalid-provider-type-specified-how-to-check-the-keyspec-cng-capi-value-for-your-certificates-keys Import the Certificate as a Legacy one NOT the default HTTP 500 Error \u2018Keyset does not exist\u2019 Next we need to grant to the […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[4183,4181,4184,4177,4179,4178,4180],"class_list":["post-6669","post","type-post","status-publish","format-standard","hentry","category-research","tag-4183","tag-federationmetadata-xml","tag-getting-an-error-occurred-while-login-to-adfs","tag-http-500-error","tag-microsoft-xrm-sdk","tag-microsoft-xrm-sdk-organizationservicefault","tag-system-security-cryptography-cryptographicexception"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6669","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=6669"}],"version-history":[{"count":8,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6669\/revisions"}],"predecessor-version":[{"id":9070,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6669\/revisions\/9070"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=6669"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=6669"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=6669"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}