7,023 questions
You cannot choose a CSP with Get-Certificate cmdlet. Instead, you have to change the CSP to use in certificate template, in Cryptography tab. It is the only correct and supported way.
Choose CSP when using Get-Certificate powershell
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 78%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
Georg2G
6
Reputation points
Hi,
I am looking for a way to change the CSP which is being used by the Get-Certificate powershell function. To be precise, i am trying to use the CSP Type 24 Microsoft Enhanced RSA and AES Cryptographic Provider.
Issuing certificates from the ADCS Enterprise CA using the Get-Certificate command seems only possible when allowing CSP Type 1 (Microsoft Strong Cryptographic Provider Type: 1 - PROV_RSA_FULL) on the certificate template. Whenever i try to issue a certificate from a template which does not allow CSP Type 1, i get the error:
Command:
$certificate = Get-Certificate -Template $template `
-SubjectName "CN=$CommonName,O=$Organization,L=$Localization,S=$State,C=$Country,OU=$Department,E=$Email" `
-DnsName $SAN `
-CertStoreLocation "cert:\LocalMachine\My" `
-Url $uri
Error:
Get-Certificate : CertEnroll::CX509Enrollment::Enroll: A certificate request could not be created. A certificate could not be issued by the certification authority.: Unknown cryptographic algorithm.
0x80091002 (-2146889726 CRYPT_E_UNKNOWN_ALGO)
At line:1 char:24
+ $certificate = Get-Certificate -Template $template `
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-Certificate], Exception
+ FullyQualifiedErrorId : System.Exception,Microsoft.CertificateServices.Commands.GetCertificateCommand
I checked on the official documentation site on MS for [get-certificate (https://learn.microsoft.com/en-us/powershell/module/pkiclient/get-certificate?view=win10-ps), but i could not find an option to define the CSP. There is no parameter to define the CSP.
I am able to issue CSP Type 24 certificates using certutil just fine.
I verified that the CA supports the CSP Type 24
certutil -csplist
Provider Name: Microsoft Enhanced RSA and AES Cryptographic Provider
Provider Type: 24 - PROV_RSA_AES
I also check on the Windows Server 2019, where i am running the Get-Certificate that the CSP is supported by the OS:
Get-ChildItem -Path HKLM:\SOFTWARE\Microsoft\Cryptography\Defaults\Provider
Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider
Name Property
---- --------
Microsoft Enhanced RSA and Image Path : %SystemRoot%\system32\rsaenh.dll
AES Cryptographic Provider SigInFile : 0
Type : 24
Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types'
Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types
Name Property
---- --------
Type 024 Name : Microsoft Enhanced RSA and AES Cryptographic Provider
TypeName : RSA Full and AES
cheers,
Georg
Windows for business Windows Client for IT Pros Directory services Active Directory