CRYPT_E_NOT_FOUND when importing certificate
This error indicates that certreq was unable to find related request object in the Certificate Enrollment Requests node in the certificate store.
In addition, I would suggest to check whether the public key in the certificate request match the one in the issued certificate. You can use certutil -dump file.req
command to dump request file (there will be public key) and cerutil -dump cert.cer
to dump issued certificate and compare public keys. Do the same for each object in the Certificate Enrollment Requests node in the certificate store (focused on Local Machine context) to find request object with matching public key.
Adam Bertram
Adam Bertram is a 20+ year veteran of IT and an experienced online business professional. He’s a consultant, Microsoft MVP, blogger, trainer, published author and content marketer for multiple technology companies. Catch up on Adam’s articles at adamtheautomator.com, connect on LinkedIn, or follow him on Twitter at @adbertram.
Updated on June 26, 2022Comments
-
Adam Bertram almost 2 years
I'm trying to automate the process of generating a certificate signing request and then importing the response from the CA on a Windows Server 2012 R2 server to use as a cert for a SSL binding in IIS. I'm able to generate the CSR which I then provide to the security team which then provides me with a response to then import but am having troubles getting it to import.
This server is in a workgroup. Thought I'd mention that so no AD enrollment policy.
Here's my process:
- Generate a CSR with certreq.exe on the server in question. An INF file is generated that looks something like this:
[Version] Signature = "$Windows NT$" [NewRequest] Subject = "C=US,S=California,L=City,O=Company,OU=IT,CN=hostname" Exportable = TRUE KeyLength = 2048 KeySpec = 1 KeyUsage = 0xa0 MachineKeySet = True ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 Silent = True SMIME = False RequestType = PKCS10
This INF file then gets turned into the CSR .req file by doing this:
certreq.exe -new "C:\inffile.inf" "C:\certreq.req"
The REQ file gets sent to the security team and they give me back a .CER file, which, when imported manually, actually adds three certificates from Digicert. The certificate I expect and what looks to be some intermediate CAs.
Here's what that looks like when imported via the MMC Certificates snapin.
If I import the certificate via the MMC like this it doesn't show up in the IIS manager under Server Certificates so I looked a little deeper. I tried to complete the certificate signing request via the the IIS manager like this and the cert shows up and I'm happy.
However, I can't use the GUI since I'm using a script.
I confirm that the request is in Certificate Enrollment Requests with the private key.
I confirm that the public key of the CSR and the p7b I got back provided are the same.
certutil -dump issuedcert.cer certutil -dump certreq.req
PROBLEM: I exported the CSR from Certificate Enrollment Requests and looked at the public key. It was NOT the same as the one in issuedcert.cer. It looks like this is the problem but why?
I then try to use certreq.exe to accept the response and it doesn't work.
certreq.exe -accept -machine "C:\issuedcert.cer"
Almost done, but no. I continually receive this error message:
-
Adam Bertram over 8 yearsApologies. I am attempting to accept the issued cert. I accidentally had that wrong in the example.
-
Adam Bertram over 8 yearsIt looks like your function is expecting a PFX private key. I don't have that. I just have the CER response the CA.
-
Adam Bertram over 8 yearsDidn't have any affect. :(
-
Adam Bertram over 8 yearsThank you. I will try that.
-
Crypt32 over 8 yearsDigiCert Root CA is trusted in Windows by default. Even if you remove it, the error message might be CRYPT_E_REVOCATION_OFFLINE. This part of your response is incorrect.
-
pepo over 8 years@CryptoGuy It certainly is in my windows 10 store. But it is strange that it imported all authorities to My store, even to root CA. The imported certificate was probably in PKCS#7 format with whole chain included.
-
Adam Bertram over 8 yearsThis was it. During my haste to get this fixed I had a bunch of requests built up. At first, I wasn't even aware of this store. I cleaned them all out, tried another and then it worked! Thank you!
-
Adam Bertram over 8 yearsIt looks like it wasn't that easy. I deleted all the temporary certs and requests I had around, removed the cert from the Personal store and all requests in Certificate Enrollment Requests. I then generated another CSR, got it signed by the CA, got the cert back and tried to accept it again and it's giving me that error again. This time I did compare the CSR and the CER public keys and they are the same.
-
Crypt32 over 8 yearsIt appears that more investigation is required here. I would propose to contact me via email, as I will need more information (you will have to collect some debug logs for certreq). You will publish the solution here if we succeed in your case.
-
Adam Bertram over 8 yearsJust compared the CSR's public key in Certificate Enrollment Requests with the public key in the issued cert and they are different. It looks like this is the problem. Now, how could they be different? I guess the security team could have given me the wrong cert. Hmm..
-
Crypt32 over 8 yearsyeah. Public key comparison is used by certreq.exe to find related request object to associate issued certificate with private key (reference to private key is stored in the request object in Certificate Enrollment Requests MMC folder).