Problem
When you use p12 Certificate file (PFX file) from local path and executing process as service account, you may receive error like below.
"Invalid provider type specified" CryptographicException when trying to load private key of certificate
Possible Cause
This error typically occurs when a service account (such as SQL Server Agent or the SSIS runtime) attempts to access a private key from a .p12
file but lacks the necessary permissions.
When the .p12
file is read, the system attempts to extract the private key and store it in a machine-level key storage location, such as:
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\
If the service account cannot access this directory or doesn’t have the right cryptographic permissions, it may result in an “Access Denied” or “Invalid provider type specified” error.
Solutions
Solution 1: Import the Certificate into Machine-Level Storage
To ensure the key is accessible system-wide:
- Copy the
.p12
file to the server. - Double-click the file to open the Certificate Import Wizard.
- Choose “Local Machine” as the store location (not “Current User”).
- Enter the password for the file (commonly
notasecret
for Google-generated keys). - Complete the wizard to finish the import.
This process should be performed both on your development machine and on the deployment server.
Update your SSIS package:
- Open the SSIS connection manager.
- Navigate to the Certificate tab.
- Set the Storage Mode to “Local Machine”.
- Browse to select the installed certificate.
- Save and redeploy your package.
Solution 2: Use a JSON Key File Instead
Instead of using a .p12
certificate, export the service account key as a JSON file from the Google Cloud Console. The JSON format does not require integration with Windows cryptographic providers and avoids private key storage issues.
This approach is supported by most Google client libraries.
Solution 3: Use a SQL Agent Proxy Account
If you’re running the SSIS job under SQL Server Agent, configure a proxy account with the necessary access to the machine-level RSA key store.
Steps:
- Create a credential in SQL Server Agent that uses a domain or local account.
- Create a proxy that maps to this credential.
- Assign the proxy to the job step that runs the SSIS package.
- Ensure the account can read from:
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\
Solution 4: Grant File System Access to the Service Account
The key file extracted from the certificate is secured using file system permissions. You can manually grant access to the required service account using PowerShell.
Example PowerShell script:
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Subject -like "*YourCertName*" }
$keyPath = "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\$($cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName)"
$acl = Get-Acl $keyPath
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("NT SERVICE\YourServiceName", "Read", "Allow")
$acl.AddAccessRule($rule)
Set-Acl $keyPath $acl
You can also use the legacy tool winhttpcertcfg.exe
to assign permissions.
Summary
This error is caused by permission or provider access issues when service accounts attempt to use a certificate’s private key. The most reliable resolution is to import the .p12
certificate into the Local Machine certificate store and ensure the appropriate permissions are granted for the service account.