[Windows Server | need help on TLS Config] With Error in log on starting service - code:140 InvalidSSLConfiguration Could not read private key attached to the selected certificate, ensure it exists and check the private key permissions

trying to configure mongoDB server to use TLS on Windows Server 2019
configuration file:

        net:
          port: 27017
          bindIp: 0.0.0.0
          tls:
              mode: requireTLS
              certificateSelector: thumbprint=0f******************************************9

get Error:

code:140 InvalidSSLConfiguration Could not read private key attached to the selected certificate, ensure it exists and check the private key permissions

and my cert says there is a private key detected within.

Question:

What to do next? How to solve the problem?