diff --git a/src/IdentityServer/Services/Default/KeyManagement/X509KeyContainer.cs b/src/IdentityServer/Services/Default/KeyManagement/X509KeyContainer.cs
index df7a5cbb6..aca58482d 100644
--- a/src/IdentityServer/Services/Default/KeyManagement/X509KeyContainer.cs
+++ b/src/IdentityServer/Services/Default/KeyManagement/X509KeyContainer.cs
@@ -100,7 +100,7 @@ public override AsymmetricSecurityKey ToSecurityKey()
                 // handling this as it typically means the user profile is not loaded, and this is about the best way to detect this.
                 // when the user profile is not loaded, using X509KeyStorageFlags.MachineKeySet is the only way for this to work on windows.
                 // https://stackoverflow.com/questions/52750160/what-is-the-rationale-for-all-the-different-x509keystorageflags/52840537#52840537
-                catch (Exception ex) when (ex.GetType().Name == "WindowsCryptographicException")
+                catch (CryptographicException ex) when (ex.HResult == unchecked((int)0x80070002)) // File not found
                 {
                     _cert = new X509Certificate2(Convert.FromBase64String(CertificateRawData), (string) null, X509KeyStorageFlags.MachineKeySet);
                 }