KB0045 - The requested certificate could not be found
Problem
When specifying a certificate for PowerShell Universal in appsettings.json, an error may occur stating that the certificate could not be found.
- 2023-09-06 07:52:06.376 -05:00 [FTL] Fatal error starting PowerShell Universal.
- System.InvalidOperationException: The requested certificate psu.local could not be found in LocalMachine/My with AllowInvalid setting: True.
- at Microsoft.AspNetCore.Server.Kestrel.Https.CertificateLoader.LoadFromStoreCert(String subject, String storeName, StoreLocation storeLocation, Boolean allowInvalid)
- at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Certificates.CertificateConfigLoader.LoadFromStoreCert(CertificateConfig certInfo)
- at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Certificates.CertificateConfigLoader.LoadCertificate(CertificateConfig certInfo, String endpointName)
- at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.Reload()
- at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.Load()
- at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.BindAsync(CancellationToken cancellationToken)
Root Cause
The root cause is that the Kestrel web server configuration is unable to find a usable certificate at the specified location.
Solution
Kestrel uses a C# class to locate the certificates. Below is a PowerShell implementation of the same class that you can use to attempt to locate the certificate in the same way that Kestrel does so.
- $allowInvalid = $true
- $subject = 'localhost'
- $store = [System.Security.Cryptography.X509Certificates.X509Store]::new('My', 'LocalMachine')
- $store.Open('ReadOnly')
- $storeCertificates = $store.Certificates;
- $foundCertificates = $storeCertificates.Find('FindBySubjectName', $Subject, $allowInvalid);
- function Test-IsCertificateAllowedForServerAuth
- {
- param($Cert)
- $ServerAuthenticationOid = "1.3.6.1.5.5.7.3.1";
- $result = $false
- foreach($cert in $foundCertificates)
- {
- if ($cert.Extensions)
- {
- foreach($extension in $cert.Extensions | Where-Object { $_ -is [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension] })
- {
- $result = $true
- foreach ($oid in $extension.EnhancedKeyUsages)
- {
- if ($oid.Value -eq $ServerAuthenticationOid)
- {
- return $true;
- }
- }
- }
- }
- }
- -not $result
- }
- $foundCertificates | Where-Object { (Test-IsCertificateAllowedForServerAuth $_) -and $_.HasPrivateKey }
A common cause of certificate configuration issues is including the CN= prefix on the certificate subject.
Related Articles
HTTPS Certificate Not Found
Version: Any Issue: After configuration the certificate for your PowerShell Universal and attempting to start the server, you receive the following error. Unhandled exception. System.InvalidOperationException: The requested certificate ...
KB0081 - unknown certificate lookup failure during git sync
Scope Users attempting to configure git sync against a self-hosted git repository such as GitLab. Problem The git client cannot perform a clone, pull or push. With the error unknown certificate lookup failure: 16777280. Root Cause The certificate ...
KB0031 - Environment Not Found Error
Applicability Users that have Git sync enabled may run into an issue where PowerShell Universal reports that an environment was not found. Root Cause The root cause is currently unknown. We are currently investigating this issue. This article will be ...
KB0027 - Error "unable to get local issuer certificate" when attempting to Synchronize with Git
Applicability This article applies to any version of PowerShell Universal running on Windows, with git sync enabled and using the external git process. Symptom When attempting to synchronize with a git remote, you receive the error "unable to get ...
KB - 1008 Tax/VAT Exempt at checkout
Scope In this article you will learn how to make a tax-free purchase at checkout. Problem How do you remove the Tax/VAT on an order? Impact Orders will then need to be refunded for tax if processed without the tax deducted. Resolution Follow the ...