3

I am attempting to set the KeySpec flag on an existing certificate for use in a SQL server encryption role. Current KeySpec is 0, and I need it to be a 1.

The way to do this is by first exporting the cert, its private key, and key usages into a .pfx file (with a password, regardless of what it claims). Then, utilizing certutil, run certutil -importpfx AT_KEYEXCHANGE.

This "works" in that it prompts for the password (which is typed in correctly), but it fails with this error message:

CertUtil: -importPFX command FAILED: 0x80090029 (-2146893783 NTE_NOT_SUPPORTED) CertUtil: The requested operation is not supported.

Unfortunately, there's not much online that I could find - just this one post apparently:

https://anotherexchangeblog.wordpress.com/tag/importpfx-command-failed-0x80090029/

That one appears to indicate that it's a problem with permissions on a directory located at C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys. Specifically, that "SYSTEM" had permissions on it, which he removed and got certutil working. However, my copy of that directory does not have SYSTEM with permissions - it looks to be the same as his picture.

Not a whole lot more to go on, and this certutil import method appears to be the only way to set KeySpec to 1. What can I do from here to allow me to import that key with the correct KeySpec flag?

The ITea Guy
  • 225
  • 1
  • 3
  • 8

3 Answers3

2

I encountered this issue after generating my private key with Template = (No Template) CNG Key

To convert from CNG key back to Legacy Key you can use OpenSSL (https://www.google.com/search?q=Download+windows+OpenSSL) to re-encode the certificate

  1. Export your current certificate to a passwordless pem

    openssl pkcs12 -in mycert.pfx -out tmpmycert.pem -nodes

  2. Convert the pem file to a new pfx file with password:

    openssl pkcs12 -export -out mycert2.pfx -in tmpmycert.pem

You can avoid the problem by generating your CSR using Template = (No Template) Legacy Key

Good Luck!

Neossian
  • 695
  • 4
  • 14
  • Thank you; this seems to be the solution. Tested it out on one machine with an ACAS Plugin Finding #35291 and it appears to remediate the issue. – The ITea Guy Sep 01 '20 at 18:27
  • This doesn't seem to work. First I found I needed to use the `-password` and `-passout` options. Then I leaned I had to use OpenSSL 1 instead of OpenSSL 3. At last I had a new certificate... but it STILL uses KeySpec 0. Using the "No Template" option isn't so simple, either, as you have to specify _EVERYTHING_ about the certificate yourself. – Joel Coehoorn Oct 18 '22 at 20:26
  • I have also previously fixed this problem by importing the certificate into firefox keystore and then exporting from there. I imagine that newer version of firefox might now support keyspec so that solution may not work either - but an option for you to try. – Neossian Oct 20 '22 at 12:29
  • I've tried firefox, too, and it did not work. I also used portableapps.com to get an old version of firefox from 2017, and still no luck. – Joel Coehoorn Oct 20 '22 at 14:49
2

I work at Microsoft. My customer got this today and we couldn't fix it. We ended up making a new CSR.

This is the main article that explains how key specs work and CNG versus a legacy Cryptographic Service Provider.

https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/ad-fs-and-keyspec-property

What you can do is go to your MMC snap in for certificates. Right click on the personal store -> All tasks -> Advanced Operations -> Create custom request.

Proceed without an enrollment policy -> select Legacy template, -> PKCS #10 -> Next -> DETAILS -> Properties

Put a friendly name -> Add a common name -> Add a DNS names for any SANs you need-> on Extended Key Usuage select Server and Client Authentication -> on the Private Key Tab -> select Microsoft Strong Cryptographic Provider -> for Key Options you want 2048 -> Make the private key exportable -> Key Type tab -> select Exchange

This will generate a (CSR) Certificate Signing Request and then have your Certificate of Authority full fill it.

Michael Hall
  • 21
  • 2
1

It is possible to make certutil import use the legacy Strong Cryptographic Provider by specifying the -csp argument.

certutil -csp "Microsoft Strong Cryptographic Provider" -importpfx -f -enterprise my mycert.pfx AT_KEYEXCHANGE
Dennis
  • 31
  • 2