PowerShell: New-SelfSignedCertificate : CertEnroll::CX509Enrollment::_CreateRequest: Invalid flags specified. 0x80090009

4

I'm trying to create a certificate that I will later use for signing other certificates in development. I'm using the Powershell New-SelfSignedCertificate cmdlet.

Below is the command:

New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Container In4mRootCATest* -DnsName in4monline-test.com -FriendlyName "In4m Test Root CA Cert" -KeyExportPolicy Exportable -KeyFriendlyName "In4m Test Root CA Cert Private Key" -KeyLocation "C:\scratch" -KeyProtection None -KeySpec Signature -KeyUsage CertSign,CRLSign,DigitalSignature -KeyUsageProperty All -NotAfter (Get-Date).AddMonths(72) -Provider "Microsoft Base DSS Cryptographic Provider" -Type Custom

The error I get is:

New-SelfSignedCertificate : CertEnroll::CX509Enrollment::_CreateRequest: Invalid flags specified. 0x80090009 (-2146893815 NTE_BAD_FLAGS)
At line:1 char:1
+ New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Co ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [New-SelfSignedCertificate], Exception
+ FullyQualifiedErrorId : System.Exception,Microsoft.CertificateServices.Commands.NewSelfSignedCertificateCommand

Can anyone help me to understand what values I may be combining/submitting in error?

I'm on Windows 10.

Help is appreciated.

powershell
winapi
encryption
certificate
asked on Stack Overflow Jan 28, 2017 by Ayo I • edited Jan 30, 2017 by Ayo I

2 Answers

3

Remove the -provider argument, then use the Certificates MMC snap-in to see if the certificate is what you require.

answered on Stack Overflow Jan 29, 2017 by Simon Catlin
1

I'm not an expert on certificates, but this might move you forward. I'd suggest trying with another provider from the list you'll get with:

certutil -csplist

https://social.technet.microsoft.com/wiki/contents/articles/7573.active-directory-certificate-services-pki-key-archival-and-management.aspx

Client CSP Does Not Permit Key Export For the client enrollment process to generate and send a private key to the CA, the key must be marked as exportable when the key is generated. If the certificate template is not set to allow key exportable or if the third-party CSP (if applicable) does not support exportable keys, enrollment will fail and the enrollment wizard will return an error that the key is not exportable. Third-party CSPs may report varying errors, such as “catastrophic failure”, when this occurs. If a Windows 2000 or Windows Millennium Edition client performs enrollment with key archival, the following error may appear if the key is not marked for export. 0x80090009 - NTE_BAD_FLAGS Note: If the CSP supports the one-time flag for key archival, known as (CRYPT_ARCHIVABLE), the key export flag is not required. The Microsoft default software CSPs support this flag. However, Windows 2000 and Windows Millennium Edition clients do not support this flag and must allow the key to be exported for enrollment to work with key archival.

answered on Stack Overflow Jan 29, 2017 by Matthew Wetmore

User contributions licensed under CC BY-SA 3.0