PFX import error...?

This topic contains 1 reply, has 1 voice, and was last updated by  MH 3 weeks, 1 day ago.

  • Author
    Posts
  • #100125

    MH
    Participant

    I have a .crt and .key file, from which I am creating a .pfx file using OpenSSL. I am trying to use PowerShell to import the .pfx file into Cert:\LocalMachine\My, then I'll use that certificate for OpenVPN. Using the following code, I am not getting any errors on the import:

    $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
    $cert.import("$env:TEMP\$site.pfx", $certPassword, "PersistKeySet")
    $store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My", "LocalMachine")
    $store.open("MaxAllowed")
    $store.add($cert)
    $store.close()
    

    I can see the cert in the MMC, but OpenVPN's log file shows:

    error:C5066064:microsoft cryptoapi:CryptAcquireCertificatePrivateKey:Keyset does not exist

    I have tried $certPassword as both a string and secure string. When I import the certificate via the GUI (copying the password from the content of $certPassword), OpenVPN starts normally.

    I also tried this code but saw the same behavior:

    Import-PfxCertificate -Password ($certPassword | ConvertTo-SecureString -AsPlainText -Force) -CertStoreLocation Cert:\LocalMachine\My -FilePath $env:temp\$site.pfx

    Finally, I am running the PowerShell session elevated and OpenVPN is running as Local System.

    What could I be doing wrong? Thanks.

  • #100129

    MH
    Participant

    Turns out, I needed to include the MachineKeySet flag in my import command:

    $cert.import("$env:TEMP\$site.pfx", $certPassword, "MachineKeySet,PersistKeySet")

You must be logged in to reply to this topic.