You receive an error message when you try to use the Digital Signature Algorithm together with a private key to install the Active Directory Certificate Services role in Windows Server 2008

In Windows Server 2008, you try to use the Digital Signature Algorithm (DSA) together with a private key to install the Active Directory Certificate Services role. If the private key is stored in a Cryptography Next Generation (CNG)-based key storage provider, you receive an error message that resembles the following:

Windows Server 2008 and Windows Vista cannot sign certificates by using DSA if the private key is stored in a CNG-based key storage provider. If you use a Microsoft key storage provider or any other CNG-based providers for DSA, you will experience a failure when the operating system signs certificates or helps to secure e-mail messages.

To resolve this problem, use the legacy DSA cryptographic service providers (CSPs).

CNG contains a new set of cryptographic APIs. These APIs are available in Windows Vista and in later operating systems. For more information about CNG, visit the following Microsoft Web site:For more information about how CNG relates to the Active Directory Certificate Services role, visit the following Microsoft Web site: