Private key is NOT exportable (certificate)
Problem reported by Lennart Eliasson - 2/5/2020 at 11:23 PM
I've set up "Automating the certificate export" as described in https://portal.smartertools.com/kb/a3466/securing-smartermail-with-lets-encrypt.aspx
When I run the script it says: 

Private key is NOT exportable
Encryption test passed
CertUtil: -exportPFX command FAILED: 0x8009000b (-2146893813)
CertUtil: Key not valid for use in specified state.

So the certificate is not exported. How can I solve this?

6 Replies

Reply to Thread
Jack. Replied
Jade D Replied
check the wacs.exe config and change the option to allow the cert to be exported.
Lennart Eliasson Replied
Thanks Jade.
I thought that should solve the problem, but not in my case.

I did change PrivateKeyExportable to true in settings.json 
First I tried just to force an update. Did not help.

Then I made a new certificate like this:

I ran wacs.exe in Power Shell 
Then I made these choices: 
M: Create new certificate (full options) 
2: Manual input 
To prove ownership: 
2: {http-01} Serve verification files from memory (recommended) 
What kind of private key should be used? 
2: RSA key 
Where to store: 
3: Windows Certificate Store 
3: No additional storage steps required 
1: Create or update https bindigs in IIS 
Choose site: Smartermail 
3: Do not run any (extra) installation steps 
Store with CertificateStore... 
Installing certificate in the certificate store 
Adding certificate mail.xxxxxxx.xxx    to store My 
Installing with IIS... 
Updating existing https binding :443  <flags: 0>
Committing 1 https binding changes to IIS 

So a new certificate is created. The site works fine.

But I can still not export Private Key.
Please tell me what I'm doing wrong.
Jade D Replied
Marked As Resolution
I've just downloaded the latest version of win-acme win-acme.v2.1.4.710.x64.pluggable from github
Open settings.json and locate
"PrivateKeyExportable": false,
Change to 
"PrivateKeyExportable": true,

You may need to generate an entirely new cert.

From powershell list any certs that match your cert name

PS C:\Users\Administrator> Get-ChildItem -Path Cert:\localmachine\Webhosting | Where-Object {$_.Subject -like "mydomain.co.za*"}

Then delete those which conflict or need to be removed

Get-ChildItem Cert:\localmachine\Webhosting\1BC55DC236E068714BEBC859CAD18FF1*********** | Remove -Item 

Now generate a new cert, and export it using your export script. 
You can confirm that the cert is installed with private key exportable by using IIS cert manager, right click and export.
Lennart Eliasson Replied
Thank you so much Jade.

I did almost like you wrote with some exceptions.
1. Renamed win-acme folder to c:/Program Files/win-acme-old
2. Renamed win-acme folder to c:/ProgramData/win-acme-old
3. Copied new zip of v2.1.4.710.x64.pluggable to new c:/Program Files/win-acme
4. Edited line in "settings_default.json" to "true" before starting wacs.exe
5. Ran new install like before.
After that I could export with the script.

Although the Remove-Item did not work.
Is it ok to just remove in Certificates/Personal/Certificates ?
Jade D Replied
Hi Lennart,

Glad it worked, you can remove from the store if you need to.

Reply to Thread