I am trying to use PowerShell to create a self-signed certificate for encrypting and decrypting data in a development environment. I am using the excellent New-SelfSignedCertificateEx PowerShell script. My OS is Windows 10 and I have the Windows Management Framework 5.0 installed. Here is the script:
New-SelfSignedCertificateEx `
-Subject "CN=Test, OU=Development" `
-NotAfter ([DateTime]::Parse('2099-12-31 11:59:59.9999999')) `
-ProviderName "Microsoft Software Key Storage Provider" `
-AlgorithmName ECDH_P256 `
-KeyLength 4096 `
-KeySpec Exchange `
-KeyUsage DataEncipherment `
-IsCA $false `
-SignatureAlgorithm SHA256 `
-FriendlyName Test `
-StoreLocation LocalMachine `
-StoreName My `
-Exportable
Executing the script returns the following error:
New-SelfSignedCertificateEx : CertEnroll::CX509PrivateKey::Create: The requested operation is not supported. 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)
At C:\create-self-signed-certificate.ps1:7 char:1
+ New-SelfSignedCertificateEx `
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [New-SelfSignedCertificateEx], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,New-SelfSignedCertificateEx
I researched the error but couldn't find anything directly related to my problem. I opted to use the Key Storage Provider in lieu of the legacy CSP.
What values should I use for the KeySpec, KeyUsage, and EnhancedKeyUsage parameters? The purpose of this certificate is only for encrypting and decrypting arbitrary strings (no TLS, no code signing, etc.)
As you seem to have already discovered, the problem is that you specified a value of 4096 for KeySize while specifying NIST-P256. With RSA and DSA the KeySize is mostly arbitrary, but with Elliptic Curve algorithms the KeySize is forced by the curve's Order (1 <= d <= n, where d is the private key and n is the Order).
So you don't really get to pick KeySize, it falls out of choosing the curve.