Troubleshooting SSL Certificate Errors with Single Sign-On in Content Central

Troubleshooting SSL Certificate Errors with Single Sign-On in Content Central

Problem

After replacing an SSL certificate for Content Central, Single Sign-On (SSO) users may receive the following error:

Alert
System.ArgumentException: Provided certificate is not valid for encryption/decryption.
This typically indicates insufficient private key permissions in the Windows certificate store, or the certificate does not have the correct key usage purposes.

Initial Troubleshooting Steps

1. Verify Certificate Key Usage

  • Open certlm.msc and navigate to Personal > Certificates.

  • Double-click the certificate to open its properties.

  • Select the Details tab and check the Key Usage (or Enhanced Key Usage) field.

Required: Must include Digital Signature AND Key Encipherment, or have no Key Usage field (unrestricted).
Problem: If Key Usage exists but lacks Key Encipherment, the certificate cannot be used for encryption

Info
If no Key Usage field is present, the certificate is unrestricted and this is not the issue. 

2. Check Private Key Permissions

  • In certlm.msc, right-click the certificate and select All Tasks > Manage Private Keys.

  • Verify the IIS AppPool identity (e.g., IIS AppPool\ContentCentral) has at least Read permission.

  • If missing, add the AppPool identity with Read permission.

Advanced Diagnosis: Provider Issue

If both checks pass but the error persists, verify the cryptographic provider.

Run this PowerShell command: certutil -store My "<certificate name>"


AlertProblem indicator: Provider = Microsoft Software Key Storage Provider (or contains CNG).
Required: Provider = Microsoft RSA SChannel Cryptographic Provider.

Resolution for Provider Issue

If the Certificate is Exportable

  1. Export the certificate with its private key: certutil -exportPFX My "<certificate name>" c:\temp\cert.pfx

  2. Delete the existing certificate from the store.

  3. Re-import with the legacy provider: certutil -importPFX -csp "Microsoft RSA SChannel Cryptographic Provider" c:\temp\cert.pfx

  4. Grant the IIS AppPool identity access to the private key (as described above).

If the Certificate is NOT Exportable

  1. Generate a new CSR and mark it as exportable.

  2. Obtain a new certificate from the Certificate Authority (CA).

  3. Import with the legacy provider (see step 3 above).

  4. Update IIS bindings to use the new certificate.

  5. Update the SSO IdP configuration with the new certificate.

Optional Workaround (Signing Only)

If the certificate lacks Key Encipherment and cannot be replaced, you may configure Sustainsys to use the certificate for signing only.

Edit web.sustainsys.saml2.config:

Quote
<add storeName="My" storeLocation="LocalMachine"
     findValue="<certificate name>"
     x509FindType="FindBySubjectName"
     use="Signing" />
WarningThis limits the certificate to signing operations only. If encryption is required by the IdP, it may not be supported. Use this workaround only if encryption is not required.

Prevention

When requesting new certificates for SSO:

  • Use the RSA algorithm (not ECC/ECDSA).

  • Ensure Digital Signature and Key Encipherment usage (or unrestricted).

  • Mark the certificate as exportable.

  • Use the Microsoft RSA SChannel Cryptographic Provider (legacy CSP), not CNG.

  • Numbered steps and bolded key terms for clarity.


Info

If the issue persists after completing these steps, gather the following before contacting Ademero Support:

  • A screenshot of the certificate properties (Key Usage and Provider).

  • A screenshot of the certificate private key permissions.

  • The output of certutil -store My "<certificate name>".

This will help the support team diagnose the problem more quickly.











    • Related Articles

    • SSL Certificate Update - GoDaddy

      Importing a GoDaddy issued SSL certificate into IIS for secure connections Typically, a certificate authority will provide multiple file formats that contain the required information needed to add the certificate to different applications. IIS asks ...

    • Single Sign On

      This applies to Content Central Document Management System. Content Central is compatible to SAML 2.0 standard. Requirements IdP EntityID/IssuerID Protocol Endpoint Testing Protocol Endpoint Production Signing Certificate Content Central Login Page ...

    • Content Central Troubleshooting Basics

      This applies to Content Central Document Management System. Identifying the Issue Here are some guideline for troubleshooting issues in Content Central: Determine if the issue is specific to one browser or persist on other browser, by accessing ...

    • How to Delete a document or documents from Content Central

      In this guide we will be going over how to locate and delete single and multiple documents within the Content Central version 7 interface.  This guide pertains to Content Central version 7.X.XXXX Your user account must either be an Administrative ...

    • Change the Catalog of a Document in Content Central

      Unlike other fields, including the Document Type, it is not possible to change the Catalog of a Document in Content Central from the Properties list when viewing the file. However, it is possible to change the Document's Catalog by creating a ...