0

I have a p12 file, 'test.p12,' that has a certificate, the CA cert (self-signed), and private key for the certificate. The p12 file is generated using the BouncyCastle's C# API.

When trying to import the certificate by using 'CertUtil', i.e., 'CertUtil -f -p password -importpfx test.p12,' CertUtil generates the following error:

CertUtil: -importPFX command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertUtil: Keyset does not exist

Any clues as to what may be wrong? (I'm using Windows 10)

Using openssl, I can see that 'test.p12' does include the certificate, CA cert, and private key. The certificate is using an EC keypair, but I doubt that's a problem since I have a reference p12 file that uses the same algorithm and is imported by CertUtil without problem. Unfortunately, I have no detail on how the reference file is generated.

In my google searches, many seem to suggest that this may be a permission problem, but I doubt that's the case as I'm running the CertUtil as the Administrator.

When importing the same file using 'MMC' with the certificate snap-ins, the certificate is "successfully" imported if I force the MMC to store it in a specific store, e.g., Personal; otherwise, it prompts to select a Smart Card for the certificate. Could this be a related problem?

Thanks, --Hyong

hyongsop
  • 91
  • 2
  • 9
  • I'd suggest to use `Import-PfxCertificate` PowerShell cmdlet to import the PFX. Depending on your need, you should install it either to `cert:\localmacine\my` (for device certificate) or to `cert:\currentuser\my` (for user certificate) store. – Crypt32 Jul 10 '17 at 20:53
  • It seems that the way I'm generating the p12 file is wrong and causes the CertUtil to fail. Specifically, the PEM file I create with BouncyCastle's PEMWriter contains the EC private key but not the EC parameters, while the one by openssl has both. And the p12 I create with openssl with that private key PEM works fine with the CertUtil... – hyongsop Jul 11 '17 at 12:40

0 Answers0