Error accessing certificate private key after 2025-10 cumulative update

Question

Error accessing certificate private key after 2025-10 cumulative update

Miguel Ángel Martínez Durán 10

Hi.

We have a Windows application developed on C# .NET Framework 4.5.2.

Since the last cumulative update it's throwing an error every time we try to access the PrivateKey property of a X509Certificate2.

X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
// pick certificate from store.Certificates;
RSACryptoServiceProvider rsa = (RSACryptoServiceProvider)certificate.PrivateKey; // This one crashes

Stacktrace is:

System.Security.Cryptography.CryptographicException: invalid provider type specified. in System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) in System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) in System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() in System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) in System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()

Certificates use sha256RSA and do work without problem outside our app, for example in Adobe Acrobat signing a PDF.

We traced the error to updates KB5066791 if windows 10 and KB5066835 if windows 11. Uninstalling them makes everything work again, but doesn't sound like a good idea to force thousands of our clients to roll back those updates

Kevin Riley 10 Reputation points

2025-10-18T22:44:43.6+00:00

https://free.blessedness.top/en-us/windows/release-health/resolved-issues-windows-11-25h2#3697msgdesc
Kevin Riley 10 Reputation points

2025-10-18T22:46:39.11+00:00

Per Microsoft: After installing the October 2025 Windows security update (KB5066835), released October 14, 2025, users might encounter smart card authentication and certificate issues. Common symptoms include:

Smart cards not being recognized as CSP providers (Cryptographic Service Provider) in 32-bit applications

Inability to sign documents

Failures in applications relying on certificate-based authentication

Resulting from this issue, users might observe error messages such as "invalid provider type specified" and "CryptAcquireCertificatePrivateKey error."
Kevin Riley 10 Reputation points

2025-10-18T22:53:18.7733333+00:00

Per Microsoft: After installing the October 2025 Windows security update (KB5066835), released October 14, 2025, users might encounter smart card authentication and certificate issues. Common symptoms include:

Smart cards not being recognized as CSP providers (Cryptographic Service Provider) in 32-bit applications

Inability to sign documents

Failures in applications relying on certificate-based authentication

Resulting from this issue, users might observe error messages such as "invalid provider type specified" and "CryptAcquireCertificatePrivateKey error."

Microsoft proposed workaround with setting the registry value of DisableCapiOverrideForRSA to 0 after the suspect CU is installed was a COMPLETE BUST. After setting the key to 0 and rebooting SmartCard drivers were ALL corrupted and inaccessible.

Logins and smartcard usage attempt after that were greeted with

*Smart card error**The smart card requires drivers that are not present on this system. Please try another smart card or contact your administrator.
*
Reverting the registry key back to 1 (default state after CU installation) did NOT correct the driver corruption issue. Hoping Microsoft takes further corrective actions as soon as possible.

3 answers

Your answer

Kevin Riley 10 Reputation points

2025-10-18T22:44:43.6+00:00

https://free.blessedness.top/en-us/windows/release-health/resolved-issues-windows-11-25h2#3697msgdesc
Kevin Riley 10 Reputation points

2025-10-18T22:46:39.11+00:00

Per Microsoft: After installing the October 2025 Windows security update (KB5066835), released October 14, 2025, users might encounter smart card authentication and certificate issues. Common symptoms include:

Smart cards not being recognized as CSP providers (Cryptographic Service Provider) in 32-bit applications

Inability to sign documents

Failures in applications relying on certificate-based authentication

Resulting from this issue, users might observe error messages such as "invalid provider type specified" and "CryptAcquireCertificatePrivateKey error."
Kevin Riley 10 Reputation points

2025-10-18T22:53:18.7733333+00:00

Per Microsoft: After installing the October 2025 Windows security update (KB5066835), released October 14, 2025, users might encounter smart card authentication and certificate issues. Common symptoms include:

Smart cards not being recognized as CSP providers (Cryptographic Service Provider) in 32-bit applications

Inability to sign documents

Failures in applications relying on certificate-based authentication

Resulting from this issue, users might observe error messages such as "invalid provider type specified" and "CryptAcquireCertificatePrivateKey error."

Microsoft proposed workaround with setting the registry value of DisableCapiOverrideForRSA to 0 after the suspect CU is installed was a COMPLETE BUST. After setting the key to 0 and rebooting SmartCard drivers were ALL corrupted and inaccessible.

Logins and smartcard usage attempt after that were greeted with

*Smart card error**The smart card requires drivers that are not present on this system. Please try another smart card or contact your administrator.
*
Reverting the registry key back to 1 (default state after CU installation) did NOT correct the driver corruption issue. Hoping Microsoft takes further corrective actions as soon as possible.

Answer 1

Varsha Dundigalla(INFOSYS LIMITED) 2,700 Microsoft External Staff

Thank you for reaching out.

I recommend not to roll back the updates.

Uninstalling KB5066791 (Windows 10) or KB5066835 (Windows 11) might make the issue disappear temporarily, but it’s not recommended because:

These updates include critical security fixes.
Rolling them back exposes systems to vulnerabilities and compliance risks.
Microsoft’s direction is to move away from legacy cryptographic APIs, so this problem will return in future updates.

Workarounds you can try instead

Upgrade the .NET Framework
Move from 4.5.2 to at least 4.6 or later. Modern cryptographic APIs introduced in 4.6 handle CNG keys correctly.

Re-import certificates using a CSP provider
If code changes are not immediately possible, you can re-import the certificate with a legacy CSP key provider. This is a temporary workaround and not ideal for security.

Use X509KeyStorageFlags when loading PFX files
If your app loads certificates from PFX, try adding flags like MachineKeySet or Exportable. This can resolve access issues in some service contexts.

Check private key permissions
Ensure the application’s process identity has the correct ACL permissions on the private key in the certificate store. The update enforces stricter checks.

Update middleware for hardware-backed keys
If using HSMs or smart cards, confirm that the vendor’s middleware is updated and compatible with the new security changes.

Plan for application update
Even if temporary fixes help, the long-term solution is to update the application to use modern APIs that support CNG keys. This aligns with Microsoft’s security roadmap.

Let me know if you need any further help with this. We'll be happy to assist.

If you find this helpful, please mark this as answered.

Miguel Ángel Martínez Durán 10 Reputation points

2025-10-20T06:38:07.97+00:00

Hi, Varsha, thanks for your reply.

The use of Framework 4.5.2 is not random. Due to legacy and dependencies, trying to move to another version would require an humongous amount of work. We already did some attempts in the past and it was not viable without completely rewriting huge parts of the various projects we have.

We are already trying to create and auxiliary Net9 application with the bare minimum for this specific task, but because of it's complexity it could take us weeks to get some result.

Until now all affected certificates we detected are in physical cards, so that also limits what we can actually try with them. Updating drivers was already tried, but last version was from last May, so that's also a dead end.
Varsha Dundigalla(INFOSYS LIMITED) 2,700 Reputation points Microsoft External Staff

2025-10-22T10:26:20.94+00:00
Thank you for sharing the details.

Thank you for sharing the details and context. We understand the challenges with upgrading from .NET Framework 4.5.2 due to legacy dependencies and the complexity involved. Your approach of building an auxiliary .NET 9 application for cryptographic operations is a solid long-term solution, even if it takes additional time.

In the meantime, here are the practical next steps we recommend:

1. Temporary Workaround

Microsoft has documented a registry-based compatibility switch that can restore legacy behavior. Setting this registry value to 0 will allow the application to work as before.
However:

This is a system-wide change.

It reduces the security hardening introduced by the recent updates.

It should only be used as a short-term measure while the permanent solution is implemented.

2. Smart Card Considerations

Since all affected certificates are on physical cards:

If the vendor supports CSP fallback or provides a bulk update tool, that could avoid manual re-initialization.

If not, each card would need to be re-imported or re-initialized individually to use a CSP provider. Unfortunately, this cannot be automated without vendor tooling.

3. Long-Term Plan

Continue with the auxiliary .NET 9 service for signing/decryption operations.

This isolates modern cryptographic handling without requiring a full rewrite of your legacy applications.

Please let us know if you require any further assistance, we’re happy to help.

If you found this information useful, kindly mark this as "Accept Answer".

Answer 2

Romain LAGRANGE 0

Hi, just to reiterate here about this issue that we also have.

We are using 462 and have the same issue. Same with 4.8. But it still work in .net9.

As we are using this method to check for computer certificate before authentication and app update check, we have to manually update our app on 500 computers that are now unable to start.

Thanks Microsoft

Answer 3

Petar Masev 0

Hey everybody 🙋‍♂️

We have the same issue. There was an update few moments ago, but it was about the USB devices issue in windows recovery environment. The 'Invalid provider type specified' issue is still active.

I recommend the delay of the default cryptographic provider change till there is a fix. Or give us an option to choose the one by ourselves. Thank you!

Share via

Error accessing certificate private key after 2025-10 cumulative update

3 answers

Your answer