Export Certificate in Windows 2022
Problem reported by Lennart Eliasson - 1/24/2022 at 10:17 AM
We plan to move Smartermail to Windows 2022. 
Have installed SSL from Lets Encrypt which works fine. 
But I can not export the certificate to .pfx file. 

The certificate is at Certificates/Web Hosting/Certificates, but the script for export goes to Certificates/Personal/Certificates.

The script says: Get-ChildItem -Path 'Cert:\LocalMachine\My' etc.
Have tried changing to: 'Cert:\LocalMachine\WebHosting'
But the script is still searching for 'My'
What should I use instead of 'My'?

5 Replies

Reply to Thread
Kyle Kerst Replied
Employee Post
Hello Lennart! I'm sorry to hear you're having trouble with this! The default Let's Encrypt guide we provide will save the certificate to the local machine's personal certificate store, and should automatically associate HTTPS bindings in IIS with the newly added certificate. What error are you getting with when exporting the certificate as a PFX file?
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
Robert G. Replied
It may be easier if you post the script with the output error.
Lennart Eliasson Replied
Oh, sorry. Thanks.

This is the script (ExportCert.ps1):
Get-ChildItem -Path 'Cert:\LocalMachine\WebHosting' | Where-Object { $_.hasPrivateKey } | Where-Object {$_.Subject -like "*mail.domain.com*"} | Foreach-Object {&certutil.exe @('-exportpfx', '-f', '-p', '45****************gew',$_.Thumbprint, "C:\Smartermail\Certificates\mail.domain.com.pfx")}

Bat file and error:


Powershell.exe -executionpolicy remotesigned -File c:\SmarterMail\Scripts\ExportCert.ps1

MY "Personal"
CertUtil: -exportPFX command FAILED: 0x80090011 (-2146893807 NTE_NOT_FOUND)
CertUtil: Object was not found.
Kyle Kerst Replied
Employee Post
That looks good to me, the only thing I see is you're trying to select it from Cert:\LocalMachine\WebHosting' instead of 'Cert:\localmachine\My' per this KB copy here:


LE installs the certificate to the computer's local machine store, rather than the WebHosting store. 
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
Lennart Eliasson Replied
Marked As Resolution
I used Win-Acme-2 and it saved certificate in "WebHosting" by default. The problem was that it could not be exported. By deleting the certificate and redoing it, it was finally resolved.

First I had to change in settings.json to "PrivateKeyExportable": true,
Then during the installation I chose to save in [My] - General computer store.
After that the script worked as it should.

Reply to Thread