CertEnroll::CX509Enrollment::p_CreateRequest returns error 0x8009000b

Hi all,

One of the issues we may find when trying the code in my post How to create a certificate request that uses key archival with CertEnroll (JavaScript) is the following error when creating the request: 

CertEnroll::CX509Enrollment::p_CreateRequest: Key not valid for use in specified state. 0x8009000b (-2146893813)

 

If the issue happens on Vista RTM but not on Vista SP1/Server 2008 or later, then this may be the issue:

When CertEnroll creates the request, it needs to export the private key of the certificate we are requesting to encode it so we can send it to the CA for key archival. This operation will fail if the key doesn't have at least one of these flags: CRYPT_EXPORTABLE or CRYPT_ARCHIVABLE. These are flags that CertEnroll should pass to CryptGenKey API when generating the key under the hood.

Those flags are calculated from ExportPolicy field of the X509Enrollment.CX509PrivateKey object. If we specify XCN_NCRYPT_ALLOW_EXPORT_FLAG or XCN_NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG, we get the key created with CRYPT_EXPORTABLE flag, and if we specify XCN_NCRYPT_ALLOW_ARCHIVING_FLAG or XCN_NCRYPT_ALLOW_PLAINTEXT_ARCHIVING_FLAG, we get the key created with CRYPT_ARCHIVABLE flag.

On Vista SP1/2008 Server and later, XCN_NCRYPT_ALLOW_ARCHIVING_FLAG is being set by default. This won't happen on Vista RTM, so setting ExportPolicy to XCN_NCRYPT_ALLOW_ARCHIVING_FLAG (0x4) should make things work there. Or even better, update to Vista SP2, and you forget about this and many other issues ;-)

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)