Discussion:
Exporting Computer Certificates
(too old to reply)
Otte
2006-11-22 13:39:02 UTC
Permalink
On my Windows 2003 servers when I try to export the Computer certificate it
says "The associated Private key is marked as not exportable. Only the
certificate can be exported". This is what I expect and is no problem.

However, on one of my servers when I try to export he computer certificate
it says "The associated private key cannot be found. Only the certificate
can be exported".

I requested a new computer certificate which went fine but still get the
same message when I try to export it.

Where is it looking for the private Key and how can I check whether the key
is there or not?

Thanks for any help

Otte
Carsten Kinder [MSFT]
2006-11-25 22:51:59 UTC
Permalink
Post by Otte
Where is it looking for the private Key and how can I check whether the key
is there or not?
To specifically examine the association between a certificate and a key:

1) Export the certificate into a file
2) Verify the keys: certutil -v -verifykeys [CertificateFileFromStep1]

If you want to experiment with this command, use certutil -verifykeys -? for
more options.

To verify all certificates in a certain certificate store use
certutil -verifystore -?
To repair key associations or update certificate properties or the key
security descriptor, use certutil -repairstore -?
--
Carsten Kinder
Microsoft Services

This posting is provided "AS IS" with no warranties, and confers no rights.
Otte
2006-11-27 12:41:01 UTC
Permalink
Carsten

Thanks for your reply. I have tried using Certutil to verify and then
repair the computer certificate and this is what I get;

certutil -v -verifystore my 61a79fae00000000004a
Certificate is valid
CertUtil: -verifystore command completed successfully.


certutil -v -repairstore my 61a79fae00000000004a
CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808)
CertUtil: Access denied.

I am logged on as Domain Admin so I don't understand why I get Access denied
or what/where it is trying to access. I have also tried this on another
server but that works so the problem is confined to 1 server only.


Any help is greatly appreciated

Otte
Post by Carsten Kinder [MSFT]
Post by Otte
Where is it looking for the private Key and how can I check whether the key
is there or not?
1) Export the certificate into a file
2) Verify the keys: certutil -v -verifykeys [CertificateFileFromStep1]
If you want to experiment with this command, use certutil -verifykeys -? for
more options.
To verify all certificates in a certain certificate store use
certutil -verifystore -?
To repair key associations or update certificate properties or the key
security descriptor, use certutil -repairstore -?
--
Carsten Kinder
Microsoft Services
This posting is provided "AS IS" with no warranties, and confers no rights.
Brian Komar [MVP]
2006-11-27 21:14:12 UTC
Permalink
You also need to designate the CSP that was used to protect the
certificate when using -repairstore.

certutil -v -repairstore my 61a79fae00000000004a -csp "Microsoft Strong
Cryptographic Service Provider"

Brian
Post by Carsten Kinder [MSFT]
Carsten
Thanks for your reply. I have tried using Certutil to verify and then
repair the computer certificate and this is what I get;
certutil -v -verifystore my 61a79fae00000000004a
Certificate is valid
CertUtil: -verifystore command completed successfully.
certutil -v -repairstore my 61a79fae00000000004a
CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808)
CertUtil: Access denied.
I am logged on as Domain Admin so I don't understand why I get Access denied
or what/where it is trying to access. I have also tried this on another
server but that works so the problem is confined to 1 server only.
Any help is greatly appreciated
Otte
Post by Carsten Kinder [MSFT]
Post by Otte
Where is it looking for the private Key and how can I check whether the key
is there or not?
1) Export the certificate into a file
2) Verify the keys: certutil -v -verifykeys [CertificateFileFromStep1]
If you want to experiment with this command, use certutil -verifykeys -? for
more options.
To verify all certificates in a certain certificate store use
certutil -verifystore -?
To repair key associations or update certificate properties or the key
security descriptor, use certutil -repairstore -?
--
Carsten Kinder
Microsoft Services
This posting is provided "AS IS" with no warranties, and confers no rights.
Otte
2006-11-28 14:59:01 UTC
Permalink
Thanks for your reply Brian, i tried the follwoing command;

certutil -repairstore -csp "Microsoft RSA SChannel Cryptographic Service
Provider" my 61a79fae00000000004a

amd got the following error back which i am now trying to resolve;

Missing stored keyset
CertUtil: -repairstore command FAILED: 0x80070057 (WIN32: 87)
CertUtil: The parameter is incorrect.


Regards

Otte
Post by Brian Komar [MVP]
You also need to designate the CSP that was used to protect the
certificate when using -repairstore.
certutil -v -repairstore my 61a79fae00000000004a -csp "Microsoft Strong
Cryptographic Service Provider"
Brian
Post by Carsten Kinder [MSFT]
Carsten
Thanks for your reply. I have tried using Certutil to verify and then
repair the computer certificate and this is what I get;
certutil -v -verifystore my 61a79fae00000000004a
Certificate is valid
CertUtil: -verifystore command completed successfully.
certutil -v -repairstore my 61a79fae00000000004a
CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808)
CertUtil: Access denied.
I am logged on as Domain Admin so I don't understand why I get Access denied
or what/where it is trying to access. I have also tried this on another
server but that works so the problem is confined to 1 server only.
Any help is greatly appreciated
Otte
Post by Carsten Kinder [MSFT]
Post by Otte
Where is it looking for the private Key and how can I check whether the key
is there or not?
1) Export the certificate into a file
2) Verify the keys: certutil -v -verifykeys [CertificateFileFromStep1]
If you want to experiment with this command, use certutil -verifykeys -? for
more options.
To verify all certificates in a certain certificate store use
certutil -verifystore -?
To repair key associations or update certificate properties or the key
security descriptor, use certutil -repairstore -?
--
Carsten Kinder
Microsoft Services
This posting is provided "AS IS" with no warranties, and confers no rights.
Brian Komar [MVP]
2006-11-28 15:51:24 UTC
Permalink
It is a finicky command (order is important)
This works at a customer site:
certutil -f -csp "Microsoft RSA SChannel Cryptographic Service
Provider" -repairstore my "61 a7 9f ae 00 00 00 00 00 4a"

Note that I do not remove the spaces from the serial number, and that
the csp is declared before the -repairstore option

brian
Post by Otte
Thanks for your reply Brian, i tried the follwoing command;
certutil -repairstore -csp "Microsoft RSA SChannel Cryptographic Service
Provider" my 61a79fae00000000004a
amd got the following error back which i am now trying to resolve;
Missing stored keyset
CertUtil: -repairstore command FAILED: 0x80070057 (WIN32: 87)
CertUtil: The parameter is incorrect.
Regards
Otte
Post by Brian Komar [MVP]
You also need to designate the CSP that was used to protect the
certificate when using -repairstore.
certutil -v -repairstore my 61a79fae00000000004a -csp "Microsoft Strong
Cryptographic Service Provider"
Brian
Post by Carsten Kinder [MSFT]
Carsten
Thanks for your reply. I have tried using Certutil to verify and then
repair the computer certificate and this is what I get;
certutil -v -verifystore my 61a79fae00000000004a
Certificate is valid
CertUtil: -verifystore command completed successfully.
certutil -v -repairstore my 61a79fae00000000004a
CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808)
CertUtil: Access denied.
I am logged on as Domain Admin so I don't understand why I get Access denied
or what/where it is trying to access. I have also tried this on another
server but that works so the problem is confined to 1 server only.
Any help is greatly appreciated
Loading...