Cert export error - Missing stored keyset
Question asked by Scott Wilson - 6/15/2022 at 10:39 PM
I'm trying to follow the instructions in the following KB article but I'm getting an error when running the PowerShell script.

Here's the output I'm getting, any idea what could be wrong?

C:\SmarterMail\Scripts>Powershell.exe -executionpolicy remotesigned -File c:\SmarterMail\Scripts\exportcert.ps1
MY "Personal"
================ Certificate 3 ================
Serial Number: 03845e7355773d78bf1b387ff517961675fd
Issuer: CN=R3, O=Let's Encrypt, C=US
 NotBefore: 6/15/2022 4:28 PM
 NotAfter: 9/13/2022 4:28 PM
Subject: CN=mail.example.com
Non-root Certificate
Cert Hash(sha1): 2ff9e40474671c2f9a42409076ef6177f5c39902
  Key Container = {D04742A0-C916-4AD3-B3FE-7A0B596A41F0}
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Missing stored keyset
================ Begin force NCrypt ================
Missing stored keyset
----------------  End force NCrypt  ----------------
CertUtil: -exportPFX command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertUtil: Keyset does not exist

3 Replies

Reply to Thread
Scott Wilson Replied
Marked As Answer
Turns out it's a permissions issue, you have to run it as an administrator. If you update batch file to the following it'll run as admin.

Powershell.exe -Command "& {Start-Process Powershell.exe -ArgumentList '-ExecutionPolicy Bypass -File ""%~dp0exportcert.ps1""' -Verb RunAs}"
Zach Sylvester Replied
Employee Post
Hey Scott, 

Thanks for letting us know the solution. We are happy that you figured this out. 

Kind Regards, 

Zach Sylvester

System/Network Administrator
SmarterTools Inc.
(877) 357-6278
Scott Wilson Replied
And if anyone is interested how to accomplish the same in a C# console app you can use the following which is how I figured out what was wrong since I'm not very proficient with PowerShell.

using System;
using System.IO;
using System.Security.Cryptography.X509Certificates;

namespace CertExporter
    class Program
        static void Main(string[] args)
            string subject = null;
            string password = null;
            string path = null;
            if (args.Length == 0)
                Console.WriteLine("Enter the subject of cert to export:");
                subject = Console.ReadLine();
                Console.WriteLine("Enter a password:");
                password = Console.ReadLine();
                Console.WriteLine("Enter an output path:");
                path = Console.ReadLine();
                subject = args[0];
                password = args[1];
                path = args[2];
            using (var store = new X509Store(StoreLocation.LocalMachine))
                var cert = store.Certificates.Find(X509FindType.FindBySubjectNamesubjecttrue)[0];
                byte[] data = cert.Export(X509ContentType.Pfxpassword);

Reply to Thread