olspookishmagus

I felt like starting a new topic/thread on this but anyway, as I'm awaiting @dencorso's response I'd dare to ask for further advice/help and not risking messing up with the forum structure. It seems I'm stuck trying to create an exportable "client" certificate with sha512. With sha1 or md5 it will be created and imported successfully. Otherwise it fails with: Error: CryptSignAndEncodeCertificate(cbEncoded == 0) failed => 0x80090008 (-2146893816) Failed The command that fails is: makecert -pe -n "CN=PowerShell Local User" -ss My -sr CurrentUser -a sha512 -len 2048 -m 13 -sy 24 -sp "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)" -eku 1.3.6.1.5.5.7.3.3 -iv PowerShell_Local_Certificate_Authority.pvk -ic PowerShell_Local_Certificate_Authority.cer While the command that will succeed is: makecert.exe -pe -n "CN=PowerShell Local User" -ss My -sr CurrentUser -a sha1 -len 4096 -m 13 -sp "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)" -sy 24 -eku 1.3.6.1.5.5.7.3.3 -iv PowerShell_Local_Certificate_Authority.pvk -ic PowerShell_Local_Certificate_Authority.cer Also clarifying that both the referenced .pvk and .cer files were successfully previously generated with: makecert.exe -r -ss Root -sr localMachine -eku 1.3.6.1.5.5.7.3.3 -sy 24 -sp "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)" -a sha512 -len 4096 -m 13 -n "CN=PowerShell Local Certificate Authority" -sv PowerShell_Local_Certificate_Authority.pvk PowerShell_Local_Certificate_Authority.cer Last and not least thanks you so much for your help, @mixit!

Ok, thanks! It worked for me too, at a Command Prompt.

Not working for me. Before I post my full command, would you mind letting me know whether your run this from PowerShell or from Command Prompt (cmd)? Thanks once more.

Well my initial post was that I couldn't have makecert working in WinXP which you guided me in resolving this. Now I've reached another burden about which I posted here. If there a way to mark this as resolved I would just do that but if you insist on having the topic title changed too, feel free to PM me your suggested topic title.

Hello. I've been trying to utilise makecert to create a self-signed cert but I can't get find the required makecert syntax for its -n option to create DNs containing commas. An example that would fail is: makecert.exe -r -pe -n "CN=Litware,OU=Docs\,Adatum,DC=Fabrikam,DC=COM" -a md5 -sky signature -cy authority -sv Litware_Root_CA.pvk -len 512 -m 13 -ss Root -sr localMachine -eku 1.3.6.1.5.5.7.3.3 -sp "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)" -sy 24 Litware_Root_CA.cer And it would fail as such: Error: CryptCertStrToNameW failed => 0x80092023 (-2146885597) If you remove the removed the escaped comma character from the OU DN everything would proceed Ok. What I have already tried: -n quoted with DNs quoted DNs seperator special chars error --------------- ----------- -------------- -------------- ------ double quotes no comma unescaped E1 double quotes no comma escaped E1 double quotes no semicolon unescaped E1 double quotes no semicolon escaped E1 double quotes yes, double quotes comma unescaped E2 double quotes yes, double quotes comma escaped E2 double quotes yes, double quotes semicolon unescaped E2 double quotes yes, double quotes semicolon escaped E2 single quotes no comma unescaped E1 single quotes no comma escaped E1 single quotes no semicolon unescaped E1 single quotes no semicolon escaped E1 single quotes yes, double quotes comma unescaped E1 single quotes yes, double quotes comma escaped E1 single quotes yes, double quotes semicolon unescaped E1 single quotes yes, double quotes semicolon escaped E1 E1: Error: CryptCertStrToNameW failed => 0x80092023 (-2146885597) E2: Error: Too many Parameters Just to clarify, I'm running makecert version 6.1.7600.16385 from within PowerShell version 2.0. So I would appreciate any help on how to overcome this.

I did! But then I saw the newer options of the makecert.exe version: 6.1.7600.16385 (win7_rtm.090713-1255) and I got greedy! Once again you let me astonished. Thanks! Ok, did say "astonished"? Let me upgrade that to "flabbergasted"! Can I buy you a beer somehow?

Changing the algorithm to sha-1 (-a sha1) brought me to success! Thanks a ton mixit, thanks a ton MSFN!

Whoa! Thanks for the tip. And I followed that advice and the outcome is at the bottom of this post. I used v2.94 flawlessly but it's useful to know which is the last working version working with XP. (I've always thought it would be useful to have a catalog of the last version of software that works with XP.) Nevermind the IRP_MJ_* messages, I've installed the latest SDK for Windows XP and after typing, re-typing and confirming (!) the private key password, now I get this: Error: CryptSignAndEncodeCertificate(cbEncoded == 0) failed => 0x80090008 (-2146893816) Failed I'll now have to look on how to surpass that too.

Ok, without being sure I did what i did right (duh ^^) I get this type of "error": Operation : IRP_MJ_CREATE Result : NAME COLLISION Path : $Env:USERPROFILE\Application Data\Microsoft\Crypto\RSA\S-ID I think I'm getting there.

Thanks for your reply and the welcome (I hope MSFN WILL be around for ever). What are the "POSReady updates"? Mine is version: 5.131.3790.0 with sha1sum: 53bbd8b86fcbee9316e02af399634522b12539b0. This is what I've been investigating on lately. I'm logged in as an Active Directory user who is also a member of the local Administrators group. There's also a local user with the same "name" but these two "accounts" have different S-ID(s). Still, no combination of currently active user can generate a key/certificate (I've been trying with runas). However I can freely create and delete files within CryptoAPI related directories. However, I'm noticing some small difference and inconsistencies though. More info on this procedure, please.

Hello. I'm struggling to create a private key in order then to use to sign a PowerShell Script and I would really use some help on this. Firstly I wanted to be able to run PowerShell scripts without having to lower PowerShell's Execution-Policy and in order to do that one should have to be able to sign scripts. Therefore and after installing the Windows SDK I'm trying to create a private key (and then a certificate) in order to be able to sign scripts. But this fails likewise: C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin>makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine Error: Can't create the key of the subject ('root.pvk') Failed And so I've begun trying to debug this, with no success. So far I've checked with these: I checked with makecert's documentation to check whether the command parameters are correct executed the command from within a non-special directory executed the command as the local Administrator user executed the command from an "elevated" Command Prompt or an "elevated" PowerShell made sure the security permissions for _ALL_ the Crypto/RSA directories are set as indicated If you have any ideas or you would like to share your insights or have me walk again over again something I've already tried/mentioned please feel free to comment. Thanks in advance.