PFX import failure…?

Question

I have a .crt and .key file, from which I am creating a .pfx file using OpenSSL. I am trying to use PowerShell to import the .pfx file into Cert:\\LocalMachine\\My, then I'll use that certificate for OpenVPN. Using the following code, I am not getting any errors on the import:

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.import("$env:TEMP\$site.pfx", $certPassword, "PersistKeySet")
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My", "LocalMachine")
$store.open("MaxAllowed")
$store.add($cert)
$store.close()

I can see the cert in the MMC, but OpenVPN's log file shows:

error:C5066064:microsoft cryptoapi:CryptAcquireCertificatePrivateKey:Keyset does not exist

I have tried $certPassword as both a string and secure string. When I import the certificate via the GUI (copying the password from the content of $certPassword), OpenVPN starts normally.

I also tried this code but saw the same behavior:

Import-PfxCertificate -Password ($certPassword | ConvertTo-SecureString -AsPlainText -Force) -CertStoreLocation Cert:\LocalMachine\My -FilePath $env:temp\$site.pfx

Finally, I am running the PowerShell session elevated.

What could I be doing wrong? Thanks.

Answer 1

Since you are adding the certificate to the LocalMachine\\My store you probably want to import it with X509KeyStorageFlags.MachineKeySet

That might be

$cert.import("$env:TEMP\$site.pfx", $certPassword, "PersistKeySet | MachineKeySet")

but I don't actually know PowerShell, so I don't know the flags syntax.

The second possibility is that the PFX import saved the key under CNG but OpenVPN didn't use the "I know what CNG means" flag. You can make the import load the key in CAPI by specifying the CSP value when building the PFX with openssl

openssl pkcs12 -export ... -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"