When running the ADFS configuration Wizard or renewing a new service communications you will get a “The certificates with the CNG private key are not supported” error unless the certificate was created with a legacy non CNG key. There is a useful blog post here https://blogs.technet.microsoft.com/mspfe/2013/11/29/adfs-configuration-wizard-fails-with-error-the-certificates-with-the-cng-private-key-are-not-supported/ on what to do if you are using a Microsoft certificate authority.
Assuming you are using someone else’s CA the following steps can be used to get a CSR and legacy non CNG private key (Will work post sha1 sunset)
1. Run an MMC and add the local computers certificate store.
2. Expand Personal and Certificates, right click on Certificates > All tasks > Advanced > Create Custom Request.
3. Click on Next then select “Proceed without enrollment policy” and Next again.
4. Change the template to “(no template) Legacy key”
5. Expand the details drop down, click on Properties and make sure to set the correct CN, DNS names, country code etc as required. You must also set the key size to 2048 or higher and you may want to mark the key as exportable if you have other servers that need to share the same private key.
6. Click through and save the CSR and provide this to your CA.
7. When you have the certificate from the CA, import it to the personal store on this computer.
8. Run this command in PowerShell to determine the CertificateHash of the new certificate:
Review the list of returned certs and note the Thumbprint of the new one.
9. You can now set the service to use this certificate. While the GUI will let you select the service certificate, the http.sys hosted SSL endpoint can only be updated in powershell so you might as well do both like that.
Set-AdfsCertificate -CertificateType Service-Communications -Thumbprint thumbprint
Set-AdfsSslCertificate -Thumbprint thumbprint
If you have any doubt as to what the service is configured to use either before or after the change you can run the equivalent get command. e.g. Get-AdfsCertificate
(If in doubt as to which one is configured, them get-adfssslcertificate can be run as well)