Private key is NOT exportable (certificate)

Problem reported by Lennart Eliasson - 2/5/2020 at 11:23 PM

Resolved

I've set up "Automating the certificate export" as described in https://portal.smartertools.com/kb/a3466/securing-smartermail-with-lets-encrypt.aspx

When I run the script it says:

Private key is NOT exportable

Encryption test passed

CertUtil: -exportPFX command FAILED: 0x8009000b (-2146893813)

CertUtil: Key not valid for use in specified state.

So the certificate is not exported. How can I solve this?

6 Replies

Reply to Thread

Jack. Replied

2/6/2020 at 6:10 AM

Check

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc737187(v=ws.10)?redirectedfrom=MSDN

Jade D Replied

2/10/2020 at 11:14 AM

check the wacs.exe config and change the option to allow the cert to be exported.

Jade https://absolutehosting.co.za

Lennart Eliasson Replied

2/13/2020 at 1:48 AM

Thanks Jade.

I thought that should solve the problem, but not in my case.

I did change PrivateKeyExportable to true in settings.json

First I tried just to force an update. Did not help.

Then I made a new certificate like this:

I ran wacs.exe in Power Shell

Then I made these choices:

M: Create new certificate (full options)

2: Manual input

To prove ownership:

2: {http-01} Serve verification files from memory (recommended)

What kind of private key should be used?

2: RSA key

Where to store:

3: Windows Certificate Store

3: No additional storage steps required

1: Create or update https bindigs in IIS

Choose site: Smartermail

3: Do not run any (extra) installation steps

Result:

Store with CertificateStore...

Installing certificate in the certificate store

Adding certificate mail.xxxxxxx.xxx to store My

Installing with IIS...

Updating existing https binding :443 <flags: 0>

Committing 1 https binding changes to IIS

So a new certificate is created. The site works fine.

But I can still not export Private Key.

Please tell me what I'm doing wrong.

Jade D Replied

2/13/2020 at 7:48 AM

Marked As Resolution

I've just downloaded the latest version of win-acme win-acme.v2.1.4.710.x64.pluggable from github

Open settings.json and locate

"PrivateKeyExportable": false,

Change to

"PrivateKeyExportable": true,

You may need to generate an entirely new cert.

From powershell list any certs that match your cert name

PS C:\Users\Administrator> Get-ChildItem -Path Cert:\localmachine\Webhosting | Where-Object {$_.Subject -like "mydomain.co.za*"}

Then delete those which conflict or need to be removed

Get-ChildItem Cert:\localmachine\Webhosting\1BC55DC236E068714BEBC859CAD18FF1*********** | Remove -Item

Now generate a new cert, and export it using your export script.

You can confirm that the cert is installed with private key exportable by using IIS cert manager, right click and export.

Jade https://absolutehosting.co.za

Lennart Eliasson Replied

2/13/2020 at 11:39 PM

Thank you so much Jade.

I did almost like you wrote with some exceptions.
1. Renamed win-acme folder to c:/Program Files/win-acme-old
2. Renamed win-acme folder to c:/ProgramData/win-acme-old
3. Copied new zip of v2.1.4.710.x64.pluggable to new c:/Program Files/win-acme
4. Edited line in "settings_default.json" to "true" before starting wacs.exe
5. Ran new install like before.
After that I could export with the script.

Although the Remove-Item did not work.
Is it ok to just remove in Certificates/Personal/Certificates ?

Jade D Replied

2/14/2020 at 12:02 AM

Hi Lennart,

Glad it worked, you can remove from the store if you need to.

Jade https://absolutehosting.co.za

Back to Community Threads

Please leave this box unchecked

Reply to Thread

Enter the verification text

6 Replies

Reply to Thread

Tags

Related Knowledge Base Articles