Problem Description:

You have migrated your CA from SHA1 to SHA256. Now you are unable to generate request file when trying to renew your CA certificate using same / existing key pair. However, if you choose to go with new key pair you can successfully generate a request file. 


KeySpec Value of the CA Certificate’s private key is either 1 or 2.

When the CA certificate is SHA 1, it can use CSP to store private key(s) and is not required to use KSP for key storage. In case of CSP the KeySpec value of the certificate can be either 0,1 or 2. But, when you use SHA256, you must use KSP and in case of KSP the keyspec value of the private key must be 0 (zero).


1) Run following command:

certutil -v -store my > store.txt

Look into Store.txt file and check KeySpec Value:


    Key Container = MySubCA

  Unique container name: 59e8e666513a62478a6f0d477be4ded0_50203b9a-cff2-40b5-87c8-5077767e241e

    Provider = Microsoft Software Key Storage Provider

    ProviderType = 0

  Flags = 20 (32)


    KeySpec = 2 — AT_SIGNATURE   <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< If the Provider is Microsoft Software Key Storage Provider, it must be KeySpec = 0


    70 78 53 87 b3 82 8a c2 d2 64 cd 17 df e0 33 08 e8 66 a2 67  <<<<<<<<<<<<<<<<<<<< Take a note of it, as it would be needed in Step 3.

2) Create a file named KeyProv.inf with the content below:


2 = “{text}” ; Add Key Provider Information property

  _continue_=”Container = CofSEntSubCA&”

  _continue_=”Provider = Microsoft Software Key Storage Provider&”

  _continue_=”ProviderType = 0&”

  _continue_=”Flags = 0x20&”

  _continue_=”KeySpec = 0″

3) Run certutil -repairstore my “70785387b3828ac2d264cd17dfe03308e866a267KeyProv.inf

4) Try to renew the the certificate and verify if the request file gets generated.

Leave a Reply

Your email address will not be published. Required fields are marked *