Cryptography Next Generation (CNG) is a set of APIs which can be found in Windows Server 2008 and newer. CNG offers an advanced set of features to create hashes, encrypt and decrypt data and to manage keys and cryptographic providers. CNG implements the United States government's Suite B cryptographic algorithms. As the hipsters say, CNG is the new PKI but you probably haven't heard of it.
One of the features of CNG is to create certificates that that use a Key Storage Provider (KSP) to store the private key, as opposed to a Cryptographic Service Provider (CSP) like regular certificates do. Exchange does not support these types of certificates for securing OWA and ECP. You will notice this immediately because your users will return back in the FBA screen after logging in after you installed such a certificate.
Read the following article for more information and workarounds: Outlook Web App and ECP redirect to the FBA page in Exchange Server 2013