Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Fix Invalid Provider Type Specified in Dell Security Management

Summary: Resolve error Invalid provider type specified when attempting to install the Dell Security Management Server software or importing a new certificate in the Server Configuration Tool.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

Affected Products:

  • Dell Security Management Server
  • Dell Data Protection | Enterprise Edition

Affected Versions:

  • v10.2.11 and Earlier

Cause

Dell Security Management Server versions 10.2.11 and earlier does not implement the Cryptography API: Next Generation (CNG). Because of this, these versions of Dell Encryption cannot import or use private keys that are stored using the Microsoft Key Storage Provider.

Resolution

The private key must be switched from the Microsoft Key Storage Provider to a Legacy Cryptographic Service Provider.

Validate the certificate provider type using certutil.

Example command: certutil -store my

Certutil -store my
Figure 1: (English Only) Certutil -store my

This problem occurs if the provider is a Microsoft Software Key Storage Provider.

Export the certificate and private key in a PKCS#12 (PFX) format using the Certificates snap-in in the Microsoft Management Console (MMC). The PFX should be exported with Include all certificates in the certification path if possible and Export all extended properties checked.

OpenSSL contains a method to alter the Cryptographic Service Provider. A copy of OpenSSL is included with the Dell Data Protection | Enterprise Server installation beginning with v7.2. The binaries are in <INSTALL_PATH>\Dell\Enterprise Edition\OpenSSL\bin.

Change the directory to the directory containing the OpenSSL binaries.

Example command: cd C:\Program Files\Dell\Enterprise Edition\OpenSSL\bin

Use OpenSSL to convert the PFX to PEM format.

Example command: openssl pkcs12 -in C:\Temp\KSP-pfx.pfx -out C:\Temp\OpenSSL-pem.pem

pkcs12 -in C:\Temp\KSP-pfx.pfx -out C:\Temp\OpenSSL-pem.pem
Figure 2: (English Only) openssl pkcs12 -in C:\Temp\KSP-pfx.pfx -out C:\Temp\OpenSSL-pem.pem

Provide the full path to the previously exported PFX to the -in parameter. Provide a full path to a new file for the PEM output to the "-out" parameter. OpenSSL creates the file that is specified in the "-out" parameter.

When prompted for Enter Import Password: Use the password for the PFX specified during export.

When prompted for Enter PEM pass phrase: And Verifying - Enter PEM pass phrase: Enter either the same password as the PFX export password or a new password for use in the next step.

Use OpenSSL to convert the new PEM back to the PFX format with a different CSP specified.

Example command: openssl pkcs12 -export -in C:\Temp\OpenSSL-pem.pem -out C:\Temp\CSP-pfx.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"

openssl pkcs12 -export -in C:\Temp\OpenSSL-pem.pem -out C:\Temp\CSP-pfx.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"
Figure 3: (English Only) openssl pkcs12 -export -in C:\Temp\OpenSSL-pem.pem -out C:\Temp\CSP-pfx.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"

Provide the full path to the previously create PEM to the "-in" parameter. Provide a full path to a new file for the PFX output to the "-out" parameter. OpenSSL creates the file that is specified in the "-out" parameter. The -CSP parameter accepts a name of a Microsoft Cryptographic Service Provider that is associated with the CryptoAPI (https://msdn.microsoft.com/en-us/library/windows/desktop/bb931357(v=vs.85).aspx) This hyperlink is taking you to a website outside of Dell Technologies..

Note:
  • The CSP portion of the -CSP parameter is case-sensitive. Using lowercase -csp causes the command to fail.
  • The Microsoft Enhanced RSA and AES Cryptographic Provider is a suggestion and not the only CSP available for use.

When prompted for "Enter pass phrase for <PEM_FILE>:" Use the password for the PEM specified during the PEM generation step.

When prompted for the Enter Export Password: and Verifying - Enter Export Password: enter either the same password as the original PFX export password or a new password for use with the resulting PFX file.

Delete the previous certificate from the Local Computer’s Personal store using the Certificates snap-in in the Microsoft Management Console (MMC).

Import the PFX generated with OpenSSL to the Local Computer’s Personal store using the Certificates snap-in in the Microsoft Management Console (MMC). The PFX should be imported with Mark this key as exportable. And Include all extended properties.

Validate the certificate provider type using certutil.

Example command: certutil -store my

certutil -store my
Figure 4: (English Only) certutil -store my

Use the Configure Certificates…, Import DM Certificate…, and Import Identity Certificate… menu options in the Server Configuration Tool to associate the new certificate to the Dell Core Server and import the new PFX to the DDP database.

Note: If an error occurs stating Keyset does not exist, export a new PFX from the Microsoft Management Console (MMC) after importing the version output by OpenSSL.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

Affected Products

Dell Encryption
Article Properties
Article Number: 000124734
Article Type: Solution
Last Modified: 17 Jun 2024
Version:  12
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.