TestShib - Bad key

I am trying to test out my SSO service provider application against TestShib.
I can raise the request and get to their log on page. I can then log in after which it returns the browser to our SAML assertion entry point page.
But on running SAMLServiceProvider.ReceiveSSO I get an error stating:
CryptographicException: Bad Key.
I know what it means but I don’t understand why this would happen with the metadata + certificate supplied by TestShib.
My saml.config:

<?xml version="1.0" encoding="utf-8"?>

<ServiceProvider Name=“<a href=“http://retail.activeplan.co.uk””>http://retail.activeplan.co.uk" Description=“MyTestApp” LocalCertificateFile=“key.pfx” LocalCertificatePassword=“password” AssertionConsumerServiceUrl=“~/SAMLAssertionConsumerService.aspx” />

<PartnerIdentityProvider Name=“<a href=“https://idp.testshib.org/idp/shibboleth””>https://idp.testshib.org/idp/shibboleth" PartnerCertificateFile=“00F5F41BA2EEA179CA4B432E7A2D34EA65520576EF.cer” NameIDFormat=“urn:mace:shibboleth:1.0:nameIdentifier” SingleSignOnServiceUrl=“<a href=“https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO””>https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO" SignAuthnRequest=“true” />

The certificate file is present and at the right path. I tried installing the certificate but it made no difference.
I can get the same setup working with SSOCircle so am unsure if there’s something I’m missing here.

Although TestShib isn’t vital for me I’d certainly feel more confident of a successful client deployment with more working test cases!
Thanks for your help.

Please double click the certificate file in File Explorer and confirm the certificate opens as expected.
Also, check the file permissions to ensure the account under which your application runs has read permission.
As an experiment, you could try giving the “Everyone” group read permission.
If that works then you can then limit permission to the particular account or group.
If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.

The log shows the error occurs attempting to decrypt the SAML assertion.
The LocalCertificateFile is used to perform the decryption.
Is this private key specified to support encryption?
Please refer to the following forum post.