Key does not exist when executing New-SelfSignedCertificate

0

I've written a script that'll create certificates for me and that should sign them all using another certificate.

$dnsNames = @("example.com", "example.org")
New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName $dnsNames -FriendlyName "Example Cert" -Signer Cert:\LocalMachine\Root\QWREEWRQ12123132QWEQWE123123

But when I run this script I get the error message CertEnroll::CSignerCertificate::Initialize: Key does not exist. 0x8009000d (-2146893811 NTE_NO_KEY).

The private key is available in the certificate store and the certificate got the intended purposes of Client Authentication and Server Authentication.

What is causing this error message?

windows
powershell
certificate
asked on Super User Jul 31, 2017 by Mikael Dúi Bolinder • edited Jul 31, 2017 by Mikael Dúi Bolinder

2 Answers

2

For anyone else struggling with this.

Make sure Powershell is running as Administrator (this is critical).

Remember that this only works on Windows 10, if you're trying to use the New_SelfSignedCertificate command on older OS's you'll find that it's out of date and doesn't support some of the extended parameters, some of which are very necessary e.g. multiple values for -DnsName with SANs support. I personally couldn't even get it to work on Server 2012 R2 when I wanted to create a certificate with SAN wildcards (*.mydomain.com). Just stick with the version on Windows 10 and you'll be fine ;)

Assign the Root CA you already created (I'm assuming you did this) to a variable:

$rootcert = ( Get-ChildItem -Path cert:\LocalMachine\My\6980327922B448834C67547B20DB8F054326F140

Now pass that variable into the New-SelfSignedCertificate command:

New-SelfSignedCertificate -DnsName MyDnsName,MyOtherDnsName -CertStoreLocation cert:\LocalMachine\My -Signer $rootcert -KeyUsage CertSign,CRLSign,DataEncipherment,DigitalSignature,KeyAgreement,KeyEncipherment -Type SSLServerAuthentication

The example above creates an SSL Certificate but you can create any of the available types by setting a different value for the -Type variable. You can also change the -KeyUsage values to the appropriate value(s). See the documentation of optional parameters here:

https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps

answered on Super User Dec 18, 2017 by jackofallcodes
0

At least the examples enclose the path in quotes and in addition your parameter is spelled wrong (CertStoreLocaiton instead of CertStoreLocation). In addition you might have to use the -ExistingKey switch.

answered on Super User Jul 31, 2017 by Seth

User contributions licensed under CC BY-SA 3.0