Error when importing certificate via PowerShell to Local Certificate Store. Missing PrivateKey Information

Jessie

1/31/24, 11:10 PM

I have have tried the following ways to import a certificate to the localmachine store via PowerShell. The console was running as administrator.

Import-PfxCertificate -Exportable -Password (secure.string) -CertStoreLocation Cert:\LocalMachine\My -FilePath 'certificatepath.pfx'

I also tried

$PFXFile = certificatepath.pfxc
$PFXPassword = secure.string
$PFXObject = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2($PFXFile, $PFXPassword, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)

$CertificateStore = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store('My','LocalMachine')
$CertificateStore.Open('MaxAllowed')
$CertificateStore.Add($PFXObject
$CertificateStore.Close()

This issue is this, neither method works. In both instances it does show up in the LocalMachine store, but it looks like there is private key associated with it even though the PFX file does have it.

If I import this same file via the MMC console, it loads fine. Via PowerShell, the following Event Appears

Level: Error
Source: Schannel
Event Id: 36870
Message: A fatal error occurred when attempting to access the TLS server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.

Additional info: If I do a Get-Item on a certificate imported via MMC, the property PrivateKey does have information listed there. Imported via PowerShell and it's not there.

The OS is Server 2019 if that matters.

729

1 + 0

powershell

certificate

ssl-certificate

powershell-v5.0

powershell-v7

Score:1

Server

LeeM

2/1/24, 4:08 AM

With the second method, what happens if you set the "Exportable,MachineKeySet,PersistKeySet" import flags for $PfxObject? Just using a string for the options:

$PFXObject = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2($PFXFile,$PFXPassword,"Exportable,MachineKeySet,PersistKeySet")

If that doesn't help, maybe try the password as just a regular string too.

If it works with those import flags, perhaps delete the cert and try it again without PersistKeySet.

I've personally needed a little trial and error to determine when PersistKeySet is required. But if the option isn't needed for your process (including tested fresh on a different machine), then it's usually best to omit unnecessary parameters.

+ 4

Jessie

2/1/24, 6:06 AM

That did it. Would it be MachineKeySet or PersistKeySet that was needed to make this work?

LeeM

2/1/24, 7:15 AM

Most likely MachineKeySet, As I mentioned, PersistKeySet can be a little mysterious, so I suggest trying it without that option on another system. If it still works, great, you can leave it out.

Jessie

2/1/24, 9:32 PM

Without PersistKeySet, I was getting inconsistent results. Sometimes the property PrivateKey would be present, other times it wasn't. Looks like I'll be keeping that in the code.

LeeM

2/3/24, 2:14 AM

That's interesting that it was inconsistent - sounds like it's definitely best to include it for your scenario. Thanks for the info!

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Error when importing certificate via PowerShell to Local Certificate Store. Missing PrivateKey Information

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.