Author Posts

May 2, 2018 at 4:28 pm

I have a .crt and .key file, from which I am creating a .pfx file using OpenSSL. I am trying to use PowerShell to import the .pfx file into Cert:\LocalMachine\My, then I'll use that certificate for OpenVPN. Using the following code, I am not getting any errors on the import:

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.import("$env:TEMP\$site.pfx", $certPassword, "PersistKeySet")
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My", "LocalMachine")
$store.open("MaxAllowed")
$store.add($cert)
$store.close()

I can see the cert in the MMC, but OpenVPN's log file shows:

error:C5066064:microsoft cryptoapi:CryptAcquireCertificatePrivateKey:Keyset does not exist

I have tried $certPassword as both a string and secure string. When I import the certificate via the GUI (copying the password from the content of $certPassword), OpenVPN starts normally.

I also tried this code but saw the same behavior:

Import-PfxCertificate -Password ($certPassword | ConvertTo-SecureString -AsPlainText -Force) -CertStoreLocation Cert:\LocalMachine\My -FilePath $env:temp\$site.pfx

Finally, I am running the PowerShell session elevated and OpenVPN is running as Local System.

What could I be doing wrong? Thanks.

May 2, 2018 at 4:59 pm

Turns out, I needed to include the MachineKeySet flag in my import command:

$cert.import("$env:TEMP\$site.pfx", $certPassword, "MachineKeySet,PersistKeySet")