CertUtil Import pfx failed: NTE_NOT_SUPPORTED

0

I am attempting to set the KeySpec flag on an existing certificate for use in a SQL server encryption role. Current KeySpec is 0, and I need it to be a 1.

The way to do this is by first exporting the cert, its private key, and key usages into a .pfx file (with a password, regardless of what it claims). Then, utilizing certutil, run certutil -importpfx AT_KEYEXCHANGE.

This "works" in that it prompts for the password (which is typed in correctly), but it fails with this error message:

CertUtil: -importPFX command FAILED: 0x80090029 (-2146893783 NTE_NOT_SUPPORTED) CertUtil: The requested operation is not supported.

Unfortunately, there's not much online that I could find - just this one post apparently:

https://anotherexchangeblog.wordpress.com/tag/importpfx-command-failed-0x80090029/

That one appears to indicate that it's a problem with permissions on a directory located at C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys. Specifically, that "SYSTEM" had permissions on it, which he removed and got certutil working. However, my copy of that directory does not have SYSTEM with permissions - it looks to be the same as his picture.

Not a whole lot more to go on, and this certutil import method appears to be the only way to set KeySpec to 1. What can I do from here to allow me to import that key with the correct KeySpec flag?

sql
certificate
pki
certutil
asked on Stack Overflow May 6, 2020 by The ITea Guy

1 Answer

2

I encountered this issue after generating my private key with Template = (No Template) CNG Key

To convert from CNG key back to Legacy Key you can use OpenSSL (https://www.google.com/search?q=Download+windows+OpenSSL) to re-encode the certificate

  1. Export your current certificate to a passwordless pem

    openssl pkcs12 -in mycert.pfx -out tmpmycert.pem -nodes

  2. Convert the pem file to a new pfx file with password:

    openssl pkcs12 -export -out mycert2.pfx -in tmpmycert.pem

You can avoid the problem by generating your CSR using Template = (No Template) Legacy Key

Good Luck!

answered on Stack Overflow Jul 10, 2020 by Neossian

User contributions licensed under CC BY-SA 3.0