Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Error after updating SSL certificate used by Microsoft Dynamics CRM 2013

Error after updating SSL certificate used by Microsoft Dynamics CRM 2013

Symptoms

Consider the following scenario:
After updating the SSL certificate used by Microsoft Dynamics CRM, you may encounter the following error messages when attempting to access the website or FederationMetadata.xml page:

Issue #1:

HTTP 500 Error ‘Keyset does not exist’

 Error: Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=6.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: System.Security.Cryptography.CryptographicException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #61396B66Detail: -2147220970 System.Security.Cryptography.CryptographicException: Microsoft Dynamics CRM has experienced an error.

Keyset does not exist Not available Not available https://crmwebsite.domain.com/Handlers/FederationMetadata.ashx /Handlers/FederationMetadata.ashx ASHX_XML

Issue #2:

After deploying a new certificate using the Legacy key template, a ‘Keyset does not exist’ may occur

↑ Back to the top

Cause

Cause #1:

The new certificate placed in the deployment may have been created using a CNG key template. Certificates created using a CNG key template are not supported by Microsoft Dynamics CRM
  See: https://technet.microsoft.com/en-us/library/gg188582(v=crm.6).aspx


Cause #2:

The new certificate’s Cryptographic Service Provider setting was not configured to act as an encryption certificate. This setting on the new certificate was set to ‘Microsoft RSA SChannel Cryptographic Provider (Signature)’. This is the default Cryptographic Service Provider setting when a custom certificate request is generated. Even though an encrypt option exists on the cert, this configuration overrides as a signing certificate that causes the certificate to be invalid for encryption purposes.

↑ Back to the top

Resolution

Create a new custom certificate request using the Legacy key template and set the Cryptographic Service Provider setting to ‘Microsoft RSA SChannel Cryptographic Provider (Encryption)’
   See: https://technet.microsoft.com/en-us/library/cc730929.aspx

↑ Back to the top

Keywords: kbmbsmigrate, kbmbspartner, vkball, kb

↑ Back to the top

Article Info
Article ID : 3079686
Revision : 1
Created on : 1/8/2017
Published on : 7/13/2015
Exists online : False
Views : 59