I had used ADCS to create Standalone Subordinate CAs before, with ADCS generating the ECDSA P256 private key (using the ECDSA_P256#Microsoft Software Key Storage Provider) and a CSR, then the parent CA signing the Subordinate CA certificate (using SHA256 / ECDSA signature algorithm), and the certificate imported into ADCS. All worked well.
However when attempting to create the CA by importing a PFX file containing the CA private key and CA certificate, I get the following error:
"Active Directory Certificate Service setup failed with the following error: Invalid provider specified. 0x80090013 (-2146893805 NTE_BAD_PROVIDER)"
The same error is returned whether configuration ADCS using GUI or Powershell (Install-AdcsCertificationAuthority).
The private key algorithm and cert signing algorithm in the failure case are identical to the success scenario above. In other words, all that I'm changing is that instead of having the standalone subordinate CA creating its own private key and a CSR to be signed, the parent CA generates the key for the subordinate CA (and include it in the PFX file). The rest are identical.
As an experiment, I used RSA 2048 instead of ECDSA P256 as the key algorithm for the subordinate CA. In this case the import of the PFX file appeared to be successful.
Given the error (0x80090013 (-2146893805 NTE_BAD_PROVIDER)), it sounds like ADCS may be having issue with importing keys into an ECDSA KSP - even though it has no issue generating a key in the same KSP.
Does anyone have a solution to this?