none
Cannot export private key: "key not valid for use in specified state"

    Question

  • Hi,

    This is a bit of a long story but I hope someone can give us some guidance.

    We use authentication certificates issued from our own Enterprise CA to control user and machine authentication via RADIUS/NPS for our wireless network.  Certificates are deployed via group policy/autoenrollment. In general this works well but we have an intermittent problem where user authentication stops working for a user who was fine before. The user certificate looks OK via Certmgr (shows as valid, shows that there is a private key associated with the certificate).  The NPS server logs show that the machine has been authenticated and granted access, but the user in this situation doesn't show up in the server logs at all. 

    The only solution in this case is to connect to the wired network and request a new certificate for the user (either via certmgr or just by deleting the duff cert and logging off/on again to get the cert via autoenrollment).

    The interesting thing is that while a "working" certificate can be exported with no problem, a duff certificate cannot be exported with its private key, giving the error "key not valid for use in specified state". (Obviously the certificates come from the same template, and the key is not marked unexportable).  The key files are present in %userprofile%\Appdata\Roaming\Microsoft\Crypto\RSA and the user permissions on these files look correct.

    After much searching of the forums I tried running certutil-repairstore on the duff certificate and that also returned the same error.  I also tried an undocumented switch Certutil -user -key -v and again, got a very similar error "Loadkeys returned key not valid for use in specified state. 0x8009000b (-2146893813)".

    I'm assuming that the fact that the key is unexportable/corrupt is also the reason why the certificate can no longer be used for authentication.

    Does anyone have any clues as to what might be causing this, and/or if a certificate with a key in this state can be repaired?

    Thanks!

    Thursday, May 29, 2014 2:12 PM

All replies

  • Hi Nicky,

    Has this problematic certificate been restored before?

    Best Regards,

    Amy

    Friday, May 30, 2014 9:23 AM
    Moderator
  • Hi Amy,

    Thanks for replying.

    No, the certificates haven't been restored before when they start to display this problem. 

    I'm currently wondering if it's something to do with password changes, based on this which seems to have the same error message:

    http://stackoverflow.com/questions/2240152/changing-password-messing-w-named-key-containers-under-win-7

    ... but I can't reproduce the issue on a working machine with either a normal password change or changing the password via Active Directory so that might be a red herring.

    Nicky

    Friday, May 30, 2014 10:04 AM
  • I can just share an experience I once had that was somewhat similar:

    In this case certificates could sometimes not be enrolled and the CSP came up with a related error message.

    The root was the software / driver (?) for a hardware dongle required to run some software. This "driver" added a registry key to the list of CSPs (under these HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider - but I have seen this with XP, so the exact location might be different now).

    This fake CSP entry that had quite a weird name effectively broke other CSPs. After removing the access to / generation of keys worked fine.

    So it would be interesting to know if you run some software that is "close to CSPs or cryptography".

    Elke

    Friday, May 30, 2014 10:50 AM
  • Hi Elke,

    Thanks for the reply. I've just checked on a problem machine and the list of providers under HKLM\Software\Microsoft\Cryptography\Defaults\Provider looks pretty clean - the only providers listed are Microsoft ones, nothing with a weird name like you saw.

    I'm wondering if 0x8009000b is a pretty generic error as there seem to be lots of different situations that can generate it?

    I've got a case opened with Microsoft on this now so if I get any useful info I'll post back; meantime any other suggestions welcome because this is driving us crazy!

    Nicky

    Friday, May 30, 2014 11:03 AM
  • Hi Nicky,

    Do you have any progress by now?

    Hope that Microsoft Support team has solved the issue.

    Regards,

    Amy

    Tuesday, June 17, 2014 3:04 AM
    Moderator
  • Hi Amy, not much to report - the certificate isn't repairable and we don't know how it got corrupted so support have recommended that we enabled dpapi auditing so that when/if it happens again we should at least have a bit more info.
    Tuesday, June 17, 2014 12:57 PM
  • Hi, 

    Is this issue resolved? We are also getting the same error while client is connecting using cisco anyconnect. did MS give a concrete solution?

    if yes, kindly share the solution please.

    Thanks,

    Kiru

    Friday, May 26, 2017 10:10 AM