Back to Community Threads
2
Private key is NOT exportable (certificate)
Problem reported by Lennart Eliasson - 2/5/2020 at 11:23 PM
Resolved
I've set up "Automating the certificate export" as described in https://portal.smartertools.com/kb/a3466/securing-smartermail-with-lets-encrypt.aspx
When I run the script it says: 

Private key is NOT exportable
Encryption test passed
CertUtil: -exportPFX command FAILED: 0x8009000b (-2146893813)
CertUtil: Key not valid for use in specified state.

So the certificate is not exported. How can I solve this?

6 Replies

Reply to Thread
0
Jack. Replied
2/6/2020 at 6:10 AM
1
Jade D Replied
2/10/2020 at 11:14 AM
check the wacs.exe config and change the option to allow the cert to be exported.
Jade
0
Lennart Eliasson Replied
2/13/2020 at 1:48 AM
Thanks Jade.
I thought that should solve the problem, but not in my case.

I did change PrivateKeyExportable to true in settings.json 
First I tried just to force an update. Did not help.

Then I made a new certificate like this:

I ran wacs.exe in Power Shell 
Then I made these choices: 
M: Create new certificate (full options) 
2: Manual input 
To prove ownership: 
2: {http-01} Serve verification files from memory (recommended) 
What kind of private key should be used? 
2: RSA key 
Where to store: 
3: Windows Certificate Store 
3: No additional storage steps required 
1: Create or update https bindigs in IIS 
Choose site: Smartermail 
3: Do not run any (extra) installation steps 
Result: 
Store with CertificateStore... 
Installing certificate in the certificate store 
Adding certificate mail.xxxxxxx.xxx    to store My 
Installing with IIS... 
Updating existing https binding :443  <flags: 0>
Committing 1 https binding changes to IIS 

So a new certificate is created. The site works fine.

But I can still not export Private Key.
Please tell me what I'm doing wrong.
3
Jade D Replied
2/13/2020 at 7:48 AM
Marked As Resolution
I've just downloaded the latest version of win-acme win-acme.v2.1.4.710.x64.pluggable from github
Open settings.json and locate
"PrivateKeyExportable": false,
Change to 
"PrivateKeyExportable": true,

You may need to generate an entirely new cert.

From powershell list any certs that match your cert name

PS C:\Users\Administrator> Get-ChildItem -Path Cert:\localmachine\Webhosting | Where-Object {$_.Subject -like "mydomain.co.za*"}

Then delete those which conflict or need to be removed

Get-ChildItem Cert:\localmachine\Webhosting\1BC55DC236E068714BEBC859CAD18FF1*********** | Remove -Item 

Now generate a new cert, and export it using your export script. 
You can confirm that the cert is installed with private key exportable by using IIS cert manager, right click and export.
Jade
0
Lennart Eliasson Replied
2/13/2020 at 11:39 PM
 
Thank you so much Jade.

I did almost like you wrote with some exceptions.
1. Renamed win-acme folder to c:/Program Files/win-acme-old
2. Renamed win-acme folder to c:/ProgramData/win-acme-old
3. Copied new zip of v2.1.4.710.x64.pluggable to new c:/Program Files/win-acme
4. Edited line in "settings_default.json" to "true" before starting wacs.exe
5. Ran new install like before.
After that I could export with the script.

Although the Remove-Item did not work.
Is it ok to just remove in Certificates/Personal/Certificates ?
0
Jade D Replied
2/14/2020 at 12:02 AM
Hi Lennart,

Glad it worked, you can remove from the store if you need to.
Jade
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Securing SmarterMail With Let's EncryptSmarterMail > Installation and Configuration
Configure SSL/TLS to Secure SmarterMailSmarterMail > Server Configuration and Management
Migrate SmarterMail to a Different ServerSmarterMail > Installation and Configuration
Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management