Private key is NOT exportable (certificate)
Problem reported by Lennart Eliasson - 2/5/2020 at 11:23 PM
Resolved
I've set up "Automating the certificate export" as described in https://portal.smartertools.com/kb/a3466/securing-smartermail-with-lets-encrypt.aspx
When I run the script it says: 

Private key is NOT exportable
Encryption test passed
CertUtil: -exportPFX command FAILED: 0x8009000b (-2146893813)
CertUtil: Key not valid for use in specified state.

So the certificate is not exported. How can I solve this?

6 Replies

Reply to Thread
0
Jack. Replied
1
Jade D Replied
check the wacs.exe config and change the option to allow the cert to be exported.
0
Lennart Eliasson Replied
Thanks Jade.
I thought that should solve the problem, but not in my case.

I did change PrivateKeyExportable to true in settings.json 
First I tried just to force an update. Did not help.

Then I made a new certificate like this:

I ran wacs.exe in Power Shell 
Then I made these choices: 
M: Create new certificate (full options) 
2: Manual input 
To prove ownership: 
2: {http-01} Serve verification files from memory (recommended) 
What kind of private key should be used? 
2: RSA key 
Where to store: 
3: Windows Certificate Store 
3: No additional storage steps required 
1: Create or update https bindigs in IIS 
Choose site: Smartermail 
3: Do not run any (extra) installation steps 
Result: 
Store with CertificateStore... 
Installing certificate in the certificate store 
Adding certificate mail.xxxxxxx.xxx    to store My 
Installing with IIS... 
Updating existing https binding :443  <flags: 0>
Committing 1 https binding changes to IIS 

So a new certificate is created. The site works fine.

But I can still not export Private Key.
Please tell me what I'm doing wrong.
3
Jade D Replied
Marked As Resolution
I've just downloaded the latest version of win-acme win-acme.v2.1.4.710.x64.pluggable from github
Open settings.json and locate
"PrivateKeyExportable": false,
Change to 
"PrivateKeyExportable": true,

You may need to generate an entirely new cert.

From powershell list any certs that match your cert name

PS C:\Users\Administrator> Get-ChildItem -Path Cert:\localmachine\Webhosting | Where-Object {$_.Subject -like "mydomain.co.za*"}

Then delete those which conflict or need to be removed

Get-ChildItem Cert:\localmachine\Webhosting\1BC55DC236E068714BEBC859CAD18FF1*********** | Remove -Item 

Now generate a new cert, and export it using your export script. 
You can confirm that the cert is installed with private key exportable by using IIS cert manager, right click and export.
0
Lennart Eliasson Replied
Thank you so much Jade.

I did almost like you wrote with some exceptions.
1. Renamed win-acme folder to c:/Program Files/win-acme-old
2. Renamed win-acme folder to c:/ProgramData/win-acme-old
3. Copied new zip of v2.1.4.710.x64.pluggable to new c:/Program Files/win-acme
4. Edited line in "settings_default.json" to "true" before starting wacs.exe
5. Ran new install like before.
After that I could export with the script.

Although the Remove-Item did not work.
Is it ok to just remove in Certificates/Personal/Certificates ?
0
Jade D Replied
Hi Lennart,

Glad it worked, you can remove from the store if you need to.

Reply to Thread