There are two options for KeySpec:
- “1” or “XCN_AT_KEYEXCHANGE”
- “2” or “XCN_AT_SIGNATURE”
With ADFS, the certificate needs to support key exchange so the required KeySpec is "1" or "XCN_AT_KEYEXCHANGE". If the other option is chosen, you may end up with failures when trying to log in to CRM and will see errors in the event viewer on the ADFS server similar to below.
Exception type: NotSupportedException
Exception message: The private key does not support the exchange KeySpec.
at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.DecryptKey(String algorithm, Byte keyData)
While the certificate will still appear valid using "XCN_AT_SIGNATURE" and will secure the webpages, authentication will not succeed with ADFS so the certificate will need to be regenerated.