[TMG] Incorrect key type for the certificate

Sometimes you could meet this error on the certificate when creating a Web Listener: Incorrect key type.

To be sure to generate a valid certificate here's some clues:

1. As described by Yuri Diogenes on his Incorrect Key Type when Creating a Web Lister on TMG using V3 Certificate article, CNG (Certificate New generation) certificate introduced by Windows 2008 is not supported by Forefront TMG.
2. Be sure that you put all required information about the keys.

For the last point you will found below a sample of a request file to use with the following command line: certreq -New <certreq.inf> <csrfile.req>

[Version] Signature = "$Windows NT$" [NewRequest] Subject = "CN=lyncweb.security.lab,OU=Unifed Communication,O=SNH Lab,L=PARIS,S=FRANCE,C=FR" Exportable = TRUE KeySpec = AT_KEYEXCHANGE KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERT_NON_REPUDIATION_KEY_USAGE | CERT_DATA_ENCIPHERMENT_KEY_USAGE" ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 MachineKeySet = TRUE KeyLength = 2048 FriendlyName= "REVERSEADFS" AlternateSignatureAlgorithm = FALSE [EnhancedKeyUsageExtension] OID = 1.3.6.1.5.5.7.3.1 [Extensions] 2.5.29.17 = "{text}" _continue_ = "dns=lyncweb.security.lab&" _continue_ = "dns=dialin.security.lab&" _continue_ = "dns=meet.security.lab&" _continue_ = "dns=lyncdiscover.security.lab&" [RequestAttributes] CertificateTemplate = "WebServer"

The command line will generate a CSR (Certificate Signing Request) to send to the certification authority.

Here's a brief description on some of these fields:

Field	Description
Exportable	The private key will be tagged as exportable (interesting right ;))
KeySpec	Key usage, here key exchange to make a SSL/TLS tunnel
KeyUsage	Usage covered by the key, here signature / key encipherment / non-repudiation / data-encipherment
ProviderName	CSP (Certificate Service Provider) name to use
ProviderType	CSP to use
MachineKeySet	Force using the computer certificate container
KeyLength	Key size
FriendlyName	Associated name only for "user friendly"
AlternateSignatureAlgorithm	Enable/ Disable the CNG feature
OID	Obejct IDentifier (OID) to use, here Server Authentication
2.5.29.17	Tell that we will provide Subject Alternative Name (SAN OID)
CertificateTemplate	If you send the request file to a private PKI, you could provide the template name to use. The provided name must be the Template name and not the one displayed on the PKI console.