azure x509certificate azure-keyvault client-certificates service-model

Azure cannot access certificate PrivateKey "Invalid provider type specified"

We have an Azure Function (.NET 4.7.2) running for a year that sends messages to a webservice using a client certificate. This certificate has to be renewed but now we have done that we are getting this exception when sending a message;

System.Security.Cryptography.CryptographicException: Invalid provider type specified.

Azure has problems reading the private key and the problem seems to be exporting it from my local machine. Could this problem originate from the original CSR? The previous certificate still works fine, as long as it's valid. Note that I can send messages using the new certificate from my local machine. Things I have tried;

Using all combinations of MMC settings to export the .pfx file
Using the answer in https://stackoverflow.com/a/34103154/6033193 to convert the cert key to the RSA format and upload the new resulting .pfx
Using CertUtil.exe -store -user my to compare the new and the old certificate. They both have Provider Microsoft Enhanced Cryptographic Provider v1.0 and, apart from the hashes and names, look the same.
Removing Azure Key Vault from the setup and uploading the pfx directly to the app service
Reading the .pfx from a local folder and using it like this: new X509Certificate2(certByes, "password", X509KeyStorageFlags.PersistKeySet);. This works so something seems to be going wrong when uploading the .pfx file to the Azure portal.

Any more things I can try?

Solution

The provider that worked for the previous certificate no longer works for the new certificate. I have a hunch something is wrong with the encryption because the Bag Attributes contained no LocalKeyID information, but I cannot say for sure.

Anyway, changing the provider to "Microsoft Platform Crypto Provider" made the private key accessible in Azure. Using OpenSSL:

First export the .key and the public .pem part from the .pfx file;

openssl pkcs12 -in cert.pfx -out cert_publicpart.pem -nokeys
openssl pkcs12 -in cert.pfx -out cert_privatekey.key -nocerts

If it's encrypted it will ask for your password after each command.

Then, convert it back to a .pfx specifying the provider;

openssl pkcs12 -export -in cert_publicpart.pem -inkey cert_privatekey.key -out cert_newCSP.pfx -CSP "Microsoft Platform Crypto Provider"

Again, specify a password and the new .pfx should be good to go!

Optional, if you'd want to verify the CSP:

openssl pkcs12 -in "cert_newCSP.pfx" -out "cert_newCSP.pem"

Open the .pem file, find -----BEGIN ENCRYPTED PRIVATE KEY----- and look for Microsoft CSP Name: Microsoft Platform Crypto Provider right above that.