You have a private key that corresponds to this certificate but CryptAcquireCertificatePrivateKey failed.
You have a private key that corresponds to this certificate but CryptAcquireCertificatePrivateKey failed.
https://github.com/microsoft/service-fabric/issues/773
It appears there may be 2 issues here:
-
the certificate's private key is not ACL'd to NetworkService; to fix this, please open the Management Console (start -> run -> mmc), navigate to 'Local Computer Certificates' (file -> add snap-in -> certificates, local computer) and examine the private key access list (right click on the certificate, 'All tasks' -> Manage private key..). If NetworkService is not listed: Add -> %computername%\Network Service -> 'check', followed by ok. (You may need to replace %computername% with the actual host name.)
-
the certificate is issued by an unsupported provider. The error (0x80090014/NTE_BAD_PROV_TYPE) indicates that the certificate was issued by a CNG key provider, which the SF runtime does not currently support. Note that ACLing errors are not fatal, and should not be the cause of the cluster's failure to start.
To confirm that is the case, please run the following, from a PowerShell prompt:
cd Cert:\LocalMachine\My
certutil -v -store my | findstr -i provider
If the output contains something like this:
Provider = Microsoft Software Key Storage Provider
then indeed this is a CNG certificate (issued with a Key Storage Provider).
I presume the certificate was created with the New-SelfSignedCertificate PowerShell cmdlet, which, unless otherwise specified, will use a CNG provider. If that is the case, and it is possible for you to create another certificate to be used for this cluster, you may try the following:
New-SelfSignedCertificate -NotBefore '' -NotAfter '' -DnsName -CertStoreLocation Cert:\LocalMachine\My -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -KeyExportPolicy ExportableEncrypted -Type Custom -Subject ""
Note this is just an example - the complete list of Crypto API Cryptographic Service Providers can be found here.
We are addressing this issue in an upcoming release.
Thanks.
