KB0045 - The requested certificate could not be found

KB0045 - The requested certificate could not be found

Problem

When specifying a certificate for PowerShell Universal in appsettings.json, an error may occur stating that the certificate could not be found. 
  1. 2023-09-06 07:52:06.376 -05:00 [FTL] Fatal error starting PowerShell Universal.
  2. System.InvalidOperationException: The requested certificate psu.local could not be found in LocalMachine/My with AllowInvalid setting: True.
  3.    at Microsoft.AspNetCore.Server.Kestrel.Https.CertificateLoader.LoadFromStoreCert(String subject, String storeName, StoreLocation storeLocation, Boolean allowInvalid)
  4.    at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Certificates.CertificateConfigLoader.LoadFromStoreCert(CertificateConfig certInfo)
  5.    at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Certificates.CertificateConfigLoader.LoadCertificate(CertificateConfig certInfo, String endpointName)
  6.    at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.Reload()
  7.    at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.Load()
  8.    at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.BindAsync(CancellationToken cancellationToken)

Root Cause

The root cause is that the Kestrel web server configuration is unable to find a usable certificate at the specified location. 

Solution

Review the documentation for HTTPS configuration settings. Additional information for the Kestrel web server can be found here.
Kestrel uses a C# class to locate the certificates. Below is a PowerShell implementation of the same class that you can use to attempt to locate the certificate in the same way that Kestrel does so. 
  2. $allowInvalid = $true
  3. $subject = 'localhost'
  4. $store = [System.Security.Cryptography.X509Certificates.X509Store]::new('My', 'LocalMachine')
  5. $store.Open('ReadOnly')

  7. $storeCertificates = $store.Certificates;
  8. $foundCertificates = $storeCertificates.Find('FindBySubjectName', $Subject, $allowInvalid);

  10. function Test-IsCertificateAllowedForServerAuth
  11. {
  12.     param($Cert)
  13.     $ServerAuthenticationOid = "1.3.6.1.5.5.7.3.1";
  14.     $result = $false 
  15.     foreach($cert in $foundCertificates)
  16.     {
  17.         if ($cert.Extensions)
  18.         {
  19.             foreach($extension in $cert.Extensions  | Where-Object { $_ -is [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension] })
  20.             {
  21.                 $result = $true
  22.                 foreach ($oid in $extension.EnhancedKeyUsages)
  23.                 {
  24.                     if ($oid.Value -eq $ServerAuthenticationOid)
  25.                     {
  26.                         return $true;
  27.                     }
  28.                 }
  29.             }
  30.         }
  31.     }
  32.     -not $result
  33. }

  35. $foundCertificates | Where-Object { (Test-IsCertificateAllowedForServerAuth $_) -and $_.HasPrivateKey  }
A common cause of certificate configuration issues is including the CN= prefix on the certificate subject. 

    • Related Articles

    • HTTPS Certificate Not Found

      Version: Any Issue: After configuration the certificate for your PowerShell Universal and attempting to start the server, you receive the following error.  Unhandled exception. System.InvalidOperationException: The requested certificate ...

    • KB0031 - Environment Not Found Error

      Applicability Users that have Git sync enabled may run into an issue where PowerShell Universal reports that an environment was not found. Root Cause The root cause is currently unknown. We are currently investigating this issue. This article will be ...

    • KB0027 - Error "unable to get local issuer certificate" when attempting to Synchronize with Git

      Applicability This article applies to any version of PowerShell Universal running on Windows, with git sync enabled and using the external git process. Symptom When attempting to synchronize with a git remote, you receive the error "unable to get ...

    • KB - 1008 Tax/VAT Exempt at checkout

      Scope In this article you will learn how to make a tax-free purchase at checkout. Problem How do you remove the Tax/VAT on an order? Impact Orders will then need to be refunded for tax if processed without the tax deducted. Resolution Follow the ...

    • PowerShell Universal cmdlets return a 404 over HTTPS

      Version: 1.4 PowerShell Version: Windows PowerShell 5.1 Problem When issue commands against the PowerShell Universal Management API (such as Get-UAJob, Get-UAScript, etc), the cmdlet will return a 404 error. This can happen when running scripts ...