Consider the following scenario:
After updating the SSL certificate used by Microsoft Dynamics CRM, you may encounter the following error messages when attempting to access the website or FederationMetadata.xml page:
HTTP 500 Error ‘Keyset does not exist’
Error: Unhandled Exception: System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=126.96.36.199, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: System.Security.Cryptography.CryptographicException: Microsoft Dynamics CRM has experienced an error. Reference number for administrators or support: #61396B66Detail: -2147220970 System.Security.Cryptography.CryptographicException: Microsoft Dynamics CRM has experienced an error.
Keyset does not exist Not available Not available https://crmwebsite.domain.com/Handlers/FederationMetadata.ashx /Handlers/FederationMetadata.ashx ASHX_XML
After deploying a new certificate using the Legacy key template, a ‘Keyset does not exist’ may occur
The new certificate placed in the deployment may have been created using a CNG key template. Certificates created using a CNG key template are not supported by Microsoft Dynamics CRM
The new certificate’s Cryptographic Service Provider setting was not configured to act as an encryption certificate. This setting on the new certificate was set to ‘Microsoft RSA SChannel Cryptographic Provider (Signature)’. This is the default Cryptographic Service Provider setting when a custom certificate request is generated. Even though an encrypt option exists on the cert, this configuration overrides as a signing certificate that causes the certificate to be invalid for encryption purposes.
Create a new custom certificate request using the Legacy key template and set the Cryptographic Service Provider setting to ‘Microsoft RSA SChannel Cryptographic Provider (Encryption)’
Article ID: 3079686 - Last Review: Jul 13, 2015 - Revision: 1