Windows Server - "MY" certificate store not found? What's going on?

Asked By jamesdul on 30-Jan-07 01:25 PM

I've written a dll file that uses CAPI to retrieve a user's
certificates and private keys.  The relevant code portions are given
below.  The problem I'm encountering is that for some users, the
PFXExportCertStore() function fails returning a NTE_BAD_KEYSET error
when attempting to export from the "MY" certificate store.

All of the users that have encountered this problem have valid digital
signature certificates imported into Internet Explorer/Outlook (and
connecting to SSL enabled systems that use these certificates show
that they work properly).  Additionally, each user checked the "Enable
export of private keys" feature when they originally imported the
digital signature keys into Internet Explorer.

Does anyone have an idea why PFXExportCertStore() fails for some users
but not others?

Code snippet (typed, not pasted):

BOOL getStoreData(HCERTSTORE hSystemStore, PCRYPT_DATA_BLOB* pfx);

void main(void) {

if (hSystemStore = CertOpenSystemStore(0, "MY")) {

if (getStoreData(hSystemStore, &pfx))) {
printf("Export worked\n");
} else {
printf("Export failed\n");

BOOL getStoreData(HCERTSTORE hSystemStore, PCRYPT_DATA_BLOBK* pfx) {

*pfx = (PCRYPT_DATA_BLOB) malloc(sizeof(CRYPT_DATA_BLOB));
(*pfx)->pbData = NULL;

if (PFXExportCertStore(hSystemStore, *pfx, L"password",
/* Allocate the propery memory and call export again... */
} else {
/* HERE IS THE PROBLEM.  Why did this happen??? */
printf("Export failed.  Error code = %u\n", GetLastError());

Andrew Tucker [MSFT] replied on 30-Jan-07 10:47 PM
Usually this means that you could not acquire the CAPI key container
for the certificate's private key,
either because the container did not exist or you didnt have access
based on the ACL.

If you look at the certificates that are failing in certmgr.msc does
it say that you have a valid, accessible private key?
jamesdul replied on 01-Feb-07 04:19 PM
On Jan 30, 10:47 pm, "Andrew Tucker [MSFT]" <>


Thank you for taking the time to help, I appreciate it.  Here's some
follow up information:

The program I'm writing extracts a user's certificates/private keys
from their Windows system store and exports them using the
PFXExportCertStore() function.  I take the exported certificate store
data and send it over to a Java application.  Up until last week, this
program worked correctly for me every time I ran it.  Other people
tested this program and it worked, others reported it as failing.  I
could not reproduce the failure so I logged into 2 or 3 other
workstations at the my office to see if was a workstation specific
issue.  Eventually, I was able to reproduce the problem.  When I
logged back into my original workstation, the program failed every
time I ran it.  My hunch was that my Windows profile had somehow
gotten whacked when I logged onto one of the other workstations (one
of the other machines used a roaming profile for me).  I was able to
confirm this hypothesis by having an SA restore my profile to a backup
from a few days prior.  The program worked 100% with the old profile.
So, whatever it is that's causing the program to fail (and causing it
to fail for other people at my company) is something rooted in the
Windows profile.

I checked and the Certificate Manager program did not list a "MY" (or
any mixed-case variant) certificate store.  I did, however, have a
key encipherment certificates.  When I opened either, they both had
the text "You have a private key that corresponds to this
certificate", and "This certificate is ok" for its status.  The
Certificate Manager also listed several certificate store variations I
had tested when running my program.  I suppose they got created when I
called CertOpenSystemStore(0, <variation>).

When I call PFXExportCertStore() using the "Personal" certificate
store, only 85 bytes of data are exported.  If my certificates really
were stored in the "Personal" certificate store, why am I only getting
85 bytes worth of data?

Lastly, there was one certificate entry listed under "Certificate
Enrollment Requests" -> "Certificates" that when opened said "The
integrity of this certificate cannot be guaranteed.  The certificate
might be corrupted or may have been altered".   The entry appeared to
be one of my certificates.  Do you think this is meaningful?