CertEnroll::CX509Enrollment::p_CreateRequest returns error 0x8009000b
Hi all,
One of the issues we may find when trying the code in my post How to create a certificate request that uses key archival with CertEnroll (JavaScript) is the following error when creating the request:
CertEnroll::CX509Enrollment::p_CreateRequest: Key not valid for use in specified state. 0x8009000b (-2146893813)
If the issue happens on Vista RTM but not on Vista SP1/Server 2008 or later, then this may be the issue:
When CertEnroll creates the request, it needs to export the private key of the certificate we are requesting to encode it so we can send it to the CA for key archival. This operation will fail if the key doesn't have at least one of these flags: CRYPT_EXPORTABLE or CRYPT_ARCHIVABLE. These are flags that CertEnroll should pass to CryptGenKey API when generating the key under the hood.
Those flags are calculated from ExportPolicy field of the X509Enrollment.CX509PrivateKey object. If we specify XCN_NCRYPT_ALLOW_EXPORT_FLAG or XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG, we get the key created with CRYPT_EXPORTABLE flag, and if we specify XCN_NCRYPT_ALLOW_ARCHIVING_FLAG or XCN_NCRYPT_ALLOW_PLAINTEXT_ARCHIVING_FLAG, we get the key created with CRYPT_ARCHIVABLE flag.
On Vista SP1/2008 Server and later, XCN_NCRYPT_ALLOW_ARCHIVING_FLAG is being set by default. This won't happen on Vista RTM, so setting ExportPolicy to XCN_NCRYPT_ALLOW_ARCHIVING_FLAG (0x4) should make things work there. Or even better, update to Vista SP2, and you forget about this and many other issues ;-)
I hope this helps.
Regards,
Alex (Alejandro Campos Magencio)
Comments
- Anonymous
June 17, 2009
I am receiving the same error code (0x8009000b) with Vista SP2 installed.My scenario is slightly different though because I am creating the key pair using CryptGenKey, exporting it with CryptExportKey and then setting it on the IX509PrivateKey using its Import method.I call CryptGenKey with flags set to CRYPT_EXPORTABLE | CRYPT_ARCHIVABLE.The call to IX509PrivateKey::Import succeeds and I can generate a CSR sucessfully IF I do not request key archival (via the IX509CertificateRequestCmc object). If I request key archival I receive the "Key not valid in specified state error".Note that attempts to set private key properties AFTER the key is imported fail wtih "Key is read only" return codes. I can't set export policy etc. after the import.Any help would be appreciated as I've been working on this for well over a week now.Thanks! - Anonymous
June 17, 2009
As you said, the scenario is different, so I really have no idea what could be going on. I would need to debug this new scenario. And for that I would need a Microsoft Technical Support case to work on... - Anonymous
July 13, 2009
Hi Alex,I was able to reproduce the problem and debug it. The problem occurs because IX509PrivateKey::Import does not honor the ExportPolicy flags. CryptImportKey is always called with a flag of zero so the key will never be exportable/archivable. When CreateRequest is called, CryptExportKey fails with 0x8009000b which is bubbled up to CreateRequest.I'll need to find out whether this is by design.ThanksCarlos - Anonymous
June 28, 2010
The comment has been removed - Anonymous
April 16, 2013
I am downloadind digital signature certificate using win 7 IE 8 with usb, I am getting this error CERTENROLL:cx509eenrollment:_create request:the parameter is incorrect 0x80070057 (win32:86)plz help am unable to download - Anonymous
September 16, 2013
Hi,How can we add custom fields while creating the certificate?