Error Deploying CDP: ERROR: Communication exception occured. Http Status Code: BadRequest, Error Message: The private key for the remote desktop certificate cannot be accessed.

My environment: Single primary site, recently upgraded to 1802. I want to deploy a CDP.

I first created two self-signed certs, one with PFX and one CER (for the Azure Management portal) as per the documentation.

Then start the create CDP wizard. Walking through the create Cloud Distribution Point and entering my Subscription ID and Management certificate and then the additional details (Region, Site and Certificate file) everything was fine. However when provisioning started cloudmgr.log logged error and it failed to provision:

ERROR: Communication exception occured. Http Status Code: BadRequest, Error Message: The private key for the remote desktop certificate cannot be accessed. This may happen for CNG certificates that are not supported for Remote Desktop., Exception Message: The remote server returned an unexpected response: (400) Bad Request.. SMS_CLOUD_SERVICES_MANAGER  13/04/2018 09:28:56 10808 (0x2A38)

More errors would be created such as: 

ERROR: Communication exception occured. Http Status Code: NotFound, Error Message: No deployments were found., Exception Message: There was no endpoint listening at https://management.core.windows.net/[mystuff]/services/hostedservices/[mystuff]/deploymentslots/Production that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.. SMS_CLOUD_SERVICES_MANAGER  13/04/2018 09:28:56 10808 (0x2A38)

but the indicative error is the first one specifically: "...The private key for the remote desktop certificate cannot be accessed..."

Everything looked fine with my pfx certificate - it was exported, passworded and PSS could see nothing wrong either, so this was annoying!

Reason: The cloud service server certificate (in the second screen of the wizard) private key isn't exported (or readable perhaps).

Solution: Use Open SSL to export the private key and then create a new pfx and reimport back as a new pfx 

• Download openssl
• Export the PFX to a file from your mmc e.g. mypfx.pfx 
• Extract the Key:    openssl pkcs12 -in mypfx.pfx -nocerts -out key.key   <--this is the key obviously..
• Extract the certificate:    pkcs12 -in mypfx.pfx -clcerts -nokeys -out mycert.crt  <---cert without key
• Combine back to pfx and export:     pkcx12 -export -out newpfx.pfx -inkey key.key -in newcert.crt 
• Take newpfx.pfx and use that in the your wizard
• 
  

Cloudmgr.log reports all is well and completes, deploying your CDP.

It's not just me who has had this, see here http://blog.configmatt.com/2017/06/sccm-cloud-management-gateway.html but that page doesn't give the openssl stuff. My PSS engineer said they don't get a whole lot of CDP requests for things, so this may be something they'll update documentation with.