Introducing support for Cryptography: Next Generation (CNG) certificates in Configuration Manager
First published on CLOUDBLOGS on Oct 30, 2017
We have added limited support for Cryptography: Next Generation (CNG) certificates in
Update 1710 for System Center Configuration Manager Technical Preview
. Now Configuration Manager clients can use PKI client authentication certificate with private key in CNG Key Storage Provider (KSP). With KSP support, Configuration Manager clients can now support hardware based private key such as TPM KSP for PKI client authentication certificate.
We made the choice to prioritize some scenarios and this post gives an overview of the scenarios you can use to try CNG certificates and lists the scenarios that are not currently supported.
Supported in 1710 Technical Preview
Beginning with the 1710 Technical Preview you can use certificates created using CNG certificate templates for client-specific scenarios. The following scenarios are supported:
Client registration and communication with a HTTPS management point
Software distribution and application deployment with a HTTPS distribution point
Operating system deployment (**see known issue below)
Cloud Management Gateway configuration
Client messaging SDK (with a soon to be released update) and ISV Proxy
CNG is backward compatible with Crypto API (CAPI). CAPI certificates will continue to be supported even when CNG support is enabled on the client
Not supported for 1710 Technical Preview
Application Catalog Web service, Application Catalog website, Enrollment point, and Enrollment proxy point roles will not be operational when installed in HTTPS mode with CNG certificate bound to the web site in Internet Information Services (IIS). Software Center will not display applications and packages deployed to user or user group collection as available .
State Migration Point will not be operational when installed in HTTPS mode with a CNG certificate bound to the web site in IIS.
Using CNG certificates to create a Cloud Distribution Point is not supported.
NDES Policy Module to Certificate Registration Point (CRP) communication will fail if the NDES Policy Module is using a CNG certificate for client authentication certificate.
**Task sequence media creation will fail to create bootable media if a CNG certificate is specified.
Creating CNG certificate templates
You will need to create CNG certificate templates from the Certificate Authority (CA) and the enrolling certificate on the target machines (clients or servers) depending on the purpose and scenario you are testing e.g. client authentication, server authentication, etc.
Under the Compatibility tab, "Certification Authority" must be at least "Windows Server 2008" (recommended "Windows Server 2012")
Under the Compatibility tab, "Certificate recipient" must be at least "Windows Vista/Server 2008" (recommended "Windows 8/Windows Server 2012")
Under the Cryptography tab, make sure the "Provider Category” is "Key Storage Provider"
The requirements for your environment or organization may be different. Please consult with your PKI expert. The important points to consider are a certificate template must use a Key Storage Provider to be able to take advantage of CNG.
We hope this helps you get started with CNG certificates and we invite you to try one more of the supported scenarios. We welcome your feedback and you can report issues on
and request features or enhancements on