Yesterday I issued a certificate for my new Exchange 2013 server, yesterday everything worked fine. Today I got this error message when I tried to start the ECP:
And the event log is also completely red with event 1003:
[Ecp] An internal server error occurred. The unhandled exception was: System.Security.Cryptography.CryptographicException: Invalid provider type specified
for System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
with System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
for System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
for System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
for Microsoft.Exchange.HttpProxy.FbaModule.ParseCadataCookies(HttpApplication httpApplication)
for Microsoft.Exchange.HttpProxy.FbaModule.OnBeginRequestInternal(HttpApplication httpApplication)
for Microsoft.Exchange.HttpProxy.ProxyModule.c__DisplayClass8.b__7()
for Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(TryDelegate tryDelegate, FilterDelegate filterDelegate, CatchDelegate catchDelegate)
Speaking error messages look different, but fortunately you can deduce a bit, i.e. read them carefully:
System.Security.Cryptography.CryptographicException: Invalid provider type specified
for System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
It seems that I have entered an invalid provider type and something with RSA is expected. So check it out:
certutil -store my
The provider doesn't say anything about RSA... so that could be the problem. I took the liberty of selecting "Server 2008 compatible" as the certificate template, so I am now creating a new template with "Server 2003"
RSA is also listed as a provider under Cryptography
So I quickly created a new certificate with the new template and assigned it via shell, as ECP no longer starts. In addition with
Get-ExchangeCertificate | fl thumbprint,notafter,services
display the certificates, select the corresponding thumbprint and click on
Enable-ExchangeCertificate -Thumbprint 10DB8A5538EABF994E1667D7B0EE93CA003EC368 -Services IIS,SMTP,IMAP,POP
assign.
The ECP will then work again with the new certificate.