Can't export the EFS private Key with certificate

BlueArgonaut
BlueArgonaut used Ask the Experts™
on
I can't export the EFS private Key with certificate. 
If I try to export the EFS certificate can't save the private key. This option was not accessible. In Certificates View shows that it CONTAINS private key. This can be connected with problem described in another question Connected issue

I use Windows 7 64bits Ultimate. I didn't change password for any user on computer. The computer is on not on Active Directory it works in WORKGROUP. I haven't copy any file or folder between folders in C:\Users

Thanks a lot for your help. I appreciate it.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Hi,

You will need to encrypt a file for the user you want the certificate for firs, this will then create the certificate and should allow you to export it.

M@

Author

Commented:
I have certificate and encrypted files already. There is another issue connected please see the link "Connected Issue"
ParanormasticCryptographic Engineer

Commented:
Hopefully my post in your other question takes care of this too, but if not try this as a next step for that issue and this one:

Copy the serial number for the certificate from the details tab of the cert, then open a cmd box:
certutil -user -repairstore "paste serial number"
certutil -user -p PASSWORD -exportpfx "paste serial number" C:\temp\FILENAME.pfx

Author

Commented:
Hello Paranormastic,

thanks for suggestion. The syntax didn't work fine. So I tried several options. Please see results below.
I used certificate serial number as you refer NOT the certificate thumbnail.


----------------------------------------------------------------------------------------------
certutil -myloginname -repairstore "26 68 98 18 97 91 ea ea bc 94 c6 96 54 f3 8a 10"
returned:
CertUtil: Unknown arg: -myloginname

----------------------------------------------------------------------------------------------
certutil -repairstore myloginname "266898189791eaeabc94c69654f38a10"
returned:
myloginname
CertUtil: -repairstore command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.

----------------------------------------------------------------------------------------------
certutil -repairstore "266898189791eaeabc94c69654f38a10"
returned:
Expected at least 2 args, received 1
CertUtil: Missing argument

----------------------------------------------------------------------------------------------
certutil -repairstore my "266898189791eaeabc94c69654f38a10"
my
CertUtil: -repairstore command FAILED: 0x80090011 (-2146893807)
CertUtil: Object was not found.

----------------------------------------------------------------------------------------------
certutil -repairstore my "26 68 98 18 97 91 ea ea bc 94 c6 96 54 f3 8a 10"                    
returned:
my
CertUtil: -repairstore command FAILED: 0x80090011 (-2146893807)
CertUtil: Object was not found.
----------------------------------------------------------------------------------------------                    
ParanormasticCryptographic Engineer

Commented:
Don't use myloginname - keep it as -user.

Copy this exactly:
certutil -user -repairstore "26 68 98 18 97 91 ea ea bc 94 c6 96 54 f3 8a 10"
ParanormasticCryptographic Engineer

Commented:
ack.. like this one:

certutil -user -repairstore my "26 68 98 18 97 91 ea ea bc 94 c6 96 54 f3 8a 10"

Author

Commented:
C:\Windows\system32>certutil -user -repairstore my "ac 59 d3 c7 5a 33 16 ad 4c d
a b2 5a f0 ba a3 53"
my
================ Certificate 1 ================
Serial Number: ac59d3c75a3316ad4cdab25af0baa353
Issuer: CN=jozef
 NotBefore: 15/07/2010 14:26
 NotAfter: 21/06/2110 14:26
Subject: CN=myloginname
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): c6 33 48 a9 d6 f8 2c dd aa cc 61 80 d6 6d 27 45 9d ed 47 b3
  Key Container = 7815678a-bd8f-2356-9e2c-b4dfe155ecf6
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
CertUtil: -repairstore command FAILED: 0x8009000b (-2146893813)
CertUtil: Key not valid for use in specified state.


I got dialog for instering Smart Card.                                                        
"A smart card was not detected in the smart card reader."

I don't use smart card. Then the obove mssage end up with error message.
Cryptographic Engineer
Commented:
Try shortening up the lifetime of the cert template.  It is valid for 100 years, in some cases this can be a problem if it is valid after 2040 as that is when many software apps loop around - it shows 2110 in the results, but it may be thinking it isn't valid after last month.  That and it just isn't a good idea for it to be valid for that long - encryption is good and all, but 2048 isn't rated to withstand that long of an attack so it should be kept shorter.  2048 RSA is not recommended by NIST past 2030.

I am a bit confused about the smart card thing, though.  Is this on a laptop that might have a built in reader maybe?  It is pointing towards a standard Microsoft CSP and not the Microsoft Smart Card CSP, so that's a bit odd to me.  did you install the cert first?  you can do via cmd:
certutil -addstore my FILENAME.cer
then run the repairstore, etc.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial