none
certutil importpfx to a TPM fails RRS feed

  • Question

  • Hello,

    I'm trying to import a PFX into the TPM KSP using certutil. The following command fails:

    certutil -p password -csp "Microsoft Platform Crypto Provider" -v -importPFX -ent -f "C:\Tempt\test.pfx" NoChain,NoExport

    with error:

    CertUtil: -importPFX command FAILED: 0x80090027 (-2146893785 NTE_INVALID_PARAMETER)

    I'm using Windows 10. Any idea what could be wrong?

    I've tried different options (-ent my, -user, -user my, NoExport, no modifier, ...) all with the same result.

    Thursday, July 26, 2018 7:00 PM

All replies

  • Hi, 

    -ent is not the proper parameter.

    The correct parameter should be:

    For more inforamtion about certutil command line, please refer to: certutil

    Bests,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 27, 2018 8:18 AM
    Moderator
  • the command is importPFX, not ent. my syntax is correct, see https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil#BKMK_importPFX and https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil#BKMK_Store (-ent being short for -enterprise)
    Friday, July 27, 2018 9:56 AM
  • By the way, removing the modifiers gives:

    CertUtil: -importPFX command FAILED: 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)

    Sunday, July 29, 2018 10:44 AM
  • Hi, 

    According to my research, error code 0x80090029 is related with priviledge not enough. Is it a local device or domain joined device? Please make sure you have enough right to run this command line in domain environment. If you are using local device, make sure you use the administrator account.  

    I noticed your command is "-p password",  however, the parameter "-p" should follow with a real password such as "123456aA". Try to change with another password. Then try to add "-user" parameter to this command. 

    By the way, I didn't found any information about "-ent" which you said is the short for enterprise. Please run command "certutil /?" to check. Or provide a capture for us about the Abbreviation.

    Here are the cases I refer to:

    https://social.technet.microsoft.com/Forums/en-US/813e944b-a517-4b2f-9807-4e3ac3d6a79d/request-not-supported-while-enrolling-computer-certificate-from-2008-r2-ca?forum=winserversecurity
    https://anotherexchangeblog.wordpress.com/tag/importpfx-command-failed-0x80090029/

    Bests,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 31, 2018 8:41 AM
    Moderator
  • "password" is the password of my PFX file. i'm running this command from a cmd.exe launched as administrator with elevated privileges.

    i need the certificate/key in machine context, not in user context, so i can't use -user.

    and finally, please find below the output of certutil -importPFX -? . you'll notice the -ent.

    certutil -importpfx -?
    Usage:
      CertUtil [Options] -importPFX [CertificateStoreName] PFXFile [Modifiers]
      Import certificate and private key
        CertificateStoreName -- Certificate store name.  See -store.
        PFXFile -- PFX file to be imported
        Modifiers -- Comma separated list of one or more of the following:
                AT_SIGNATURE -- Change the KeySpec to Signature
                AT_KEYEXCHANGE -- Change the KeySpec to Key Exchange
                NoExport -- Make the private key non-exportable
                NoCert -- Do not import the certificate
                NoChain -- Do not import the certificate chain
                NoRoot -- Do not import the root certificate
                Protect -- Protect keys with password
                NoProtect -- Do not password protect keys
        Defaults to personal machine store.
        Modifiers:
          NoExport
          ExportEncrypted
          NoCert
          NoChain -- End Entity certificate only
          NoRoot -- Exclude root certificate
          NoProtect
          Protect
          ProtectHigh
          Pkcs8
          AT_SIGNATURE
          AT_KEYEXCHANGE
          FriendlyName=
          KeyFriendlyName=
          KeyDescription=
          VSM
    
    Options:
      -f                -- Force overwrite
      -Enterprise       -- (-ent) Use local machine Enterprise registry certificate store
      -user             -- Use HKEY_CURRENT_USER keys or certificate store
      -GroupPolicy      -- (-gp) Use Group Policy certificate store
      -Unicode          -- Write redirected output in Unicode
      -gmt              -- Display times as GMT
      -seconds          -- Display times with seconds and milliseconds
      -Silent           -- (-q) Use silent flag to acquire crypt context
      -v                -- Verbose operation
      -privatekey       -- Display password and private key data
      -pin PIN                  -- Smart Card PIN
      -p Password               -- Password
      -csp Provider             -- Provider
            KSP -- "Microsoft Software Key Storage Provider"
            TPM -- "Microsoft Platform Crypto Provider"
            NGC -- "Microsoft Passport Key Storage Provider"
            SC -- "Microsoft Smart Card Key Storage Provider"
      -sid WELL_KNOWN_SID_TYPE  -- Numeric SID
                22 -- Local System
                23 -- Local Service
                24 -- Network Service

    Tuesday, July 31, 2018 3:19 PM
  • Hi,

    Thank you for yor information, I found the -ent parameter really exists in Windows 10 1803. It might have some changes between different system version. 

    For your issue, try to import certificate to certificate store. If you want to have enterprise store, try to import certificate to enterprise store, then import TPM to check. 

    If the issue persists, please download Process Monitor tool, then reproduce the issue and monitor the thread information with this tool. 

    Bests,  

     


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 3, 2018 2:34 AM
    Moderator
  • Hi, 

    Any update?

    Bests,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 6, 2018 1:40 AM
    Moderator
  • Hello,

    I've tried several combinations, and noticed that without "-enterprise" flag it gives exactly the same behavior. So, I'll be testing without this flag, as i don't think it's involved in the current issue.

    IMHO, the issue is linked directly to the "Microsoft Platform Crypto Provider", as the same command line succeeds if i choose the Software KSP.

    For the record, the exact command line I'm working with is:

    certutil -p password -csp "Microsoft Platform Crypto Provider" -v -importPFX -f "C:\Tempt\test.pfx" NoExport,NoChain,NoRoot,NoProtect

    And i still get:

    CertUtil: -importPFX command FAILED: 0x80090027 (-2146893785 NTE_INVALID_PARAMETER)

    Using Process Monitor, the only non-success call made by certutil.exe is the following:


    Event Class:    File System
    Operation:    CreateFileMapping
    Result:    FILE LOCKED WITH ONLY READERS
    Path:    C:\Windows\System32\certutil.exe
    TID:    3464
    Duration:    0.0000042
    SyncType:    SyncTypeCreateSection
    PageProtection:    PAGE_EXECUTE|PAGE_NOCACHE

    Which means nothing to me...



    • Edited by PKI_Guy Sunday, August 12, 2018 9:18 AM typos
    Sunday, August 12, 2018 9:18 AM
  • Is there any solution for this. Because I got the same error.
    Friday, November 22, 2019 4:40 PM