TechNet
Products
IT Resources
Downloads
Training
Support
Products
Windows
Windows Server
System Center
Microsoft Edge
Office
Office 365
Exchange Server
SQL Server
SharePoint Products
Skype for Business
See all products »
Resources
Channel 9 Video
Evaluation Center
Learning Resources
Microsoft Tech Companion App
Microsoft Technical Communities
Microsoft Virtual Academy
Script Center
Server and Tools Blogs
TechNet Blogs
TechNet Flash Newsletter
TechNet Gallery
TechNet Library
TechNet Magazine
TechNet Wiki
Windows Sysinternals
Virtual Labs
Solutions
Networking
Cloud and Datacenter
Security
Virtualization
Updates
Service Packs
Security Bulletins
Windows Update
Trials
Windows Server 2016
System Center 2016
Windows 10 Enterprise
SQL Server 2016
See all trials »
Related Sites
Microsoft Download Center
Microsoft Evaluation Center
Drivers
Windows Sysinternals
TechNet Gallery
Training
Expert-led, virtual classes
Training Catalog
Class Locator
Microsoft Virtual Academy
Free Windows Server 2012 courses
Free Windows 8 courses
SQL Server training
Microsoft Official Courses On-Demand
Certifications
Certification overview
Special offers
MCSE Cloud Platform and Infrastructure
MCSE: Mobility
MCSE: Data Management and Analytics
MCSE Productivity
Other resources
Microsoft Events
Exam Replay
Born To Learn blog
Find technical communities in your area
Azure training
Official Practice Tests
Support options
For business
For developers
For IT professionals
For technical support
Support offerings
More support
Microsoft Premier Online
TechNet Forums
MSDN Forums
Security Bulletins & Advisories
Not an IT pro?
Microsoft Customer Support
Microsoft Community Forums
Sign in
Home
Library
Wiki
Learn
Gallery
Downloads
Support
Forums
Blogs
Resources For IT Professionals
United States (English)
Россия (Pусский)
中国(简体中文)
Brasil (Português)
Skip to locale bar
Post an article
Translate this page
Powered by
Microsoft® Translator
Wikis - Page Details
First published by
Kurt L Hudson MSFT
When:
27 Apr 2012 6:28 PM
Last revision by
Ed Price - MSFT
(Microsoft)
When:
29 Oct 2012 11:02 PM
Revisions:
8
Comments:
2
Options
Subscribe to Article (RSS)
Share this
Engage!
Wiki Ninjas Blog
(
Announcements
)
Wiki Ninjas on Twitter
TechNet Wiki Discussion Forum
Can You Improve This Article?
Positively!
Click Sign In to add the tip, solution, correction or comment that will help other users.
Report inappropriate content using
these instructions
.
Wiki
>
TechNet Articles
>
Configuring Certificate Template: "A Certificate could not be created. A private key could not be created."
Configuring Certificate Template: "A Certificate could not be created. A private key could not be created."
Article
History
Configuring Certificate Template: "A Certificate could not be created. A private key could not be created."
Applies to Windows Server 2008, Windows Vista, Windows Server 2008 R2, Windows 7
Best Practice for Configuring Certificate Template Cryptography
Starting with Windows Vista and Windows Server 2008, the option to utilize Key Storage Providers (KSPs) in addition to Cryptographic Service Providers (CSPs) was added. These options are available when you create a Certificate Template and configure the settings in the Cryptography tab. Depending on the template duplicated, you may see that the default option is Request can use any provider available on the subject’s computer. However, the best practice is to select Requests must use one of the following providers. Then, ensure you configure only the providers that you want to be used.
You should also be aware that:
1. The CSP or KSP list (depending on the template schema version) is only a suggestion for the client computers.
2. Client computers may ignore this list, as the certification authority cannot enforce the CSP or KSP list settings.
3. The client computers process the CSP or KSP list one entry at a time.
a. For each entry try to generate private/public key pairs using the CSP or KSP. The order of the CSP or KSP list is not configurable on certificate client computers running Windows 7, Windows Server 2008 R2 or earlier operating systems.
b. If key generation fails on a particular CSP or KSP, the next entry in the list will be attempted.
If you do not specify particular CSPs or KSPs in the template, you increase the potential for cryptographic incompatibilities. For example, assume a template is configured such that the Request Handling tab is configured to Allow private key to be exported.
Also, the Cryptography tab is set to Requests can use any provider available on the subject’s computer. The client computer could potentially select the Microsoft Smart Card Key Storage Provider. If this happens, then the client will fail to enroll for the certificate and the error message “A certificate could not be created. A private key could not be created” is displayed. To help to avoid this situation, follow the best practice of selecting the cryptographic keys that you want used on the Cryptography tab by selecting Requests must use one of the following providers.