Information

Article Type	Solution Article

Scope/Environment	LCA2014, KCCM2016, TD14 LiveContent Architect 2014, Knowledge Center Content Manager 2016 Tridion Docs 14

Symptoms/Context

Error: 'ID1039: The certificate's private key could not be accessed. Ensure the access control list (ACL) on the certificate's private key grants access to the application pool user.

The service user, aka the OS user, has read rights on the private key of the certificate.

You can check this in mmc - add/remove Snap-in - certificates - Add - Computer Account - Local Computer - Finish - OK.
Open Certificates (Local Computer) - Personal - Certificates - Right click the certificate - All tasks - Manage Private Keys.
The service user should have at least read access.

Some customers are using Windows Authentication with ISHSTS. For this the ISHSTS IIS Application pool runs under the AppPoolIdentity account. If this is the case make sure that the local IIS_IUSRS group has access to the private key too.

Resolution

CNG Certificates
CNG stands for Certificate Next Generation
How to identify if the certificate is a CNG certificate?
Open a command prompt and execute the command:

certutil -store my

If the Provider is called <something> Key Storage Provider, then it is the CNG provider. Others are CSP.
For example Provider = Microsoft Software Key Storage Provider is a CNG certificate

Source: CSP, CNG and their application support
https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=8

How to convert to CSP:
Using openssl (can be found in cygwin)

First export it from the certificate store using mmc. Right click the certificate - all tasks - export - Yes, export the private key - PFX format - and enter a password.
In the example I exported it to a file called LCAtemp.pfx and the password LCAtemp

Extract public keys, full certificate chain:

openssl pkcs12 -in LCAtemp.pfx -nokeys -out LCAtemp.cer -passin "pass:LCAtemp"

Extract private key:

openssl pkcs12 -in LCAtemp.pfx -nocerts -out LCAtemp.pem -passin "pass:LCAtemp" -passout "pass:LCAtemp"

Convert private key to RSA format:

openssl rsa -inform PEM -in LCAtemp.pem -out LCAtemp.rsa -passin "pass:LCAtemp" -passout "pass:LCAtemp"

Merge public keys with RSA private key to new PFX:

openssl pkcs12 -export -in LCAtemp.cer -inkey LCAtemp.rsa -out CONVERTED.pfx -passin "pass:LCAtemp" -passout "pass:LCAtemp"

Import and check again
Remove the previous certificate and import the converted one CONVERTED.pfx. Right click certificates and choose import

If you know execute the certutil command you'll now see a different provider:
certutil -store my

Provider = Microsoft Enhanced Cryptographic Provider v1.0

Root Cause

If the service user has read rights, the problem is caused by a CNG certificate that is used for the application.

Reference

Also see:
Troubleshooting Relying parties and Certificate issues
Error: 'ID1039: The certificate's private key could not be accessed

Attachment 1

Attachment 2

Attachment 3

Attachment 4

Attachment 5