Certs from Certificate Store - encore

Product: PowerShell Universal
Version: 3.8.12

Has anyone had luck using certificates from the certificate store?

I’m not sure what my issue is, but I’m only able to use certs that are exported, using thumbprints/name etc. just doesnt work.

I run PSU using a gMSA, I can find the cert and its thumbprint if I execute Get-ChildItem Cert:\LocalMachine\My inside PSU, but none of the examples in the docs works for me, aside from exporting the cert.

For example, using common name:

"SubjectName": {
     "Name": "CN=PSUCERT",

In appsettings.json:

"HTTPS": {
         "Url": "https://*",
           "Certificate": {
             "Subject": "PSUCERT",
             "Store": "My",
             "Location": "LocalMachine",
             "AllowInvalid": "true"

Yields this in System event log

A fatal error occurred when attempting to access the TLS server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.
The SSPI client process is Universal.Server (PID: 2308).

As is tradition: the same minute I post an issue, I find the solution.

If the Account you run PSU under, is not an Administrator, you need to delegate the rights to read the certificate private key

My end goal is to automate requesting certificates, any further tips is appriciated :slight_smile:
I wonder if this step is neccesary if the cert is requested by the gMSA instead.

1 Like