When trying to replace a CEM self-signed certificate with you own certificate through the Certificate Management page, you can browse to the certificate and the UI shows that the certificate looks good but it is not added in the "Select Certificate" window.

The NS logs show the following entry:

Failed to detect certificate purpose.

Invalid provider type specified.
[System.Security.Cryptography.CryptographicException @ mscorlib]
at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
at Altiris.Resource.StandardResources.DigitalCertificate.SetCertificatePrivateKey(X509Certificate2 certificateObject)
at Altiris.Resource.StandardResources.DigitalCertificate.Initialize()
at Altiris.Resource.StandardResources.DigitalCertificate.DetectCertificatePurposes(X509Certificate2 certificate, Boolean ignorePrivateKeyForChecks)

Exception logged from:
at Altiris.Resource.StandardResources.DigitalCertificate.DetectCertificatePurposes(System.Security.Cryptography.X509Certificates.X509Certificate2, Boolean)
at Altiris.NS.StandardItems.CertificateConfiguration.CertificateDetails..ctor(System.Security.Cryptography.X509Certificates.X509Certificate2, Boolean)
at Altiris.NS.UI.Admin.ClientManagement.Certificate.CertificateDetailsControl+CertificateDetailsProvider.GetCertificateDetails(System.Security.Cryptography.X509Certificates.X509Certificate2, Altiris.NS.UI.CertUtilities+LoadedCertificate+Type)
at Altiris.NS.UI.Admin.ClientManagement.dlgImportCertificate.AddRow(System.Data.DataTable, System.Security.Cryptography.X509Certificates.X509Certificate2, Altiris.NS.UI.CertUtilities+LoadedCertificate+Type)
at Altiris.NS.UI.Admin.ClientManagement.dlgImportCertificate.OnLoadFinished(Object, EventArgs)
at System.Web.UI.HtmlControls.HtmlInputButton.OnServerClick(EventArgs)
at System.Web.UI.Page.ProcessRequestMain(Boolean, Boolean)
at System.Web.UI.Page.ProcessRequest(Boolean, Boolean)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(System.Web.HttpContext)
at Altiris.NS.UI.Controls.PageCachePage.ProcessRequest(System.Web.HttpContext)
at Altiris.NS.UI.AltirisPage.ProcessRequest(System.Web.HttpContext)
at Altiris.NS.UI.Admin.ClientManagement.dlgImportCertificate.ProcessRequest(System.Web.HttpContext)
at System.Web.HttpApplication+CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStepImpl(System.Web.HttpApplication+IExecutionStep)
at System.Web.HttpApplication.ExecuteStep(System.Web.HttpApplication+IExecutionStep, Boolean&)
at System.Web.HttpApplication+PipelineStepManager.ResumeSteps(Exception)
at System.Web.HttpApplication.BeginProcessRequestNotification(System.Web.HttpContext, AsyncCallback)
at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(System.Web.Hosting.IIS7WorkerRequest, System.Web.HttpContext)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, Int32)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, Int32)

---------------------------------------
Date: 7/16/2020 12:32:23 PM, Tick Count: 799250187 (9.06:00:50.1870000), Size: 3.95 KB
Process: w3wp (19992), Thread ID: 138, Module: Altiris.Resource.dll
Priority: 1, Source: Altiris.Resource.StandardResources.DigitalCertificate.DetectCertificatePurposes

When you go to IIS Manager and change the binding to the new certificate, in the Certificate Management page in the SMP Console under Settings > Notification Server > Certificate Management it shows that it is now in use but shows this error status:

"No private key or key is not exportable"

When using MMC you can see that the certificate has a private key and you can export the certificate with its private key.

ITMS 8.6

The problem is with how the certificate was created. Certificates can be in CNG format while ITMS works with legacy RSA certificates. In this case, the certificate being used was a certificate with an RSA key, but this is an RSACng key. We used .NET 4.5.1 while CNG support which was implemented reliably for .NET 4.6.2 and later. The .NET 4.5.1 version didn't work with CNG crypto providers.

We suggest re-creating the certificate using legacy key crypto providers. 

You can try to convert your certificate from CNG to RSA as described here:

https://stackoverflow.com/questions/22581811/invalid-provider-type-specified-cryptographicexception-when-trying-to-load-pri

NOTE: The content of the above article is outside the scope of Broadcom Technical Support scope.

The suggested approach uses OpenSSL and two older tools to accomplish the private key conversion. Given MYCERT.pfx with private key password MYPWD in CNG format, these are the steps to get a new CONVERTED.pfx with the private key in RSA format and the same password:

1. Extract public keys, full certificate chain:

OpenSSL pkcs12 -in "MYCERT.pfx" -nokeys -out "MYCERT.cer" -passin "pass:MYPWD"

2. Extract private key:

OpenSSL pkcs12 -in "MYCERT.pfx" -nocerts –out “MYCERT.pem" -passin "pass:MYPWD" -passout "pass:MYPWD"

3. Convert a private key to RSA format:

OpenSSL rsa -inform PEM -in "MYCERT.pem" -out "MYCERT.rsa" -passin "pass:MYPWD" -passout "pass:MYPWD"

4. Merge public keys with RSA private key to new PFX:

OpenSSL pkcs12 -export -in "MYCERT.cer" -inkey "MYCERT.rsa" -out "CONVERTED.pfx" -passin "pass:MYPWD" -passout "pass:MYPWD"

If you load the converted pfx or import it in the Windows Certificate Store using MMC instead of the CNG format pfx, the problem goes away.