certificate - keyset does not exist when the private key clearly exists

Question

We have a service that will generate a CA cert and use that CA cert to sign all other required certs on startup.

The CA cert has an associated private key and is stored in the windows certificate store with Exportable flag. This works fine on most machines but on one of our QA's machine we run into some nasty issues.

When I load the CA cert from the cert store in code and checked HasPrivateKey flag it returns true. Then when I attempt to use the CA cert to sign another cert. It throws keyset does not exist exception.

In the certificate store it says the certificate is valid. On the general page it says

You have a private key that corresponds to this certificate

Good sign! But when we try to right click -> Task -> Export it. The include private key button is grayed out and says

The associated private key cannot be found. Only the certificate can be exported

We thought its a permission issue so we run mmc in admin mode and still the same result.

On my dev machine I noticed that the private key file is stored in %APPDATA%MicrosoftCryptoKeys but its not the case for our QA's machine. We cannot find the private key file in the same folder with the timestamp = CA cert generated time. We also looked into

%ALLUSERSPROFILE%Application DataMicrosoftCryptoSystemKeys
%WINDIR%ServiceProfilesLocalService
%ALLUSERSPROFILE%Application DataMicrosoftCryptoKeys

but no luck still.

The account used to run the service is Local System so permission shouldnt be an issue here. No special anti-virus installed other than Windows Defender and nothing in Defender's history either.

question from:https://stackoverflow.com/questions/65888910/keyset-does-not-exist-when-the-private-key-clearly-exists

Answer 1

Waitting for answers