CRYPT_E_NOT_FOUND when importing certificate

Question

I'm trying to automate the process of generating a certificate signing request and then importing the response from the CA on a Windows Server 2012 R2 server to use as a cert for a SSL binding in IIS. I'm able to generate the CSR which I then provide to the security team which then provides me with a response to then import but am having troubles getting it to import.

This server is in a workgroup. Thought I'd mention that so no AD enrollment policy.

Here's my process:

1. Generate a CSR with certreq.exe on the server in question. An INF file is generated that looks something like this:

[Version]
Signature = "$Windows NT$"
[NewRequest]
Subject = "C=US,S=California,L=City,O=Company,OU=IT,CN=hostname"
Exportable = TRUE
KeyLength = 2048
KeySpec = 1
KeyUsage = 0xa0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
Silent = True
SMIME = False
RequestType = PKCS10

This INF file then gets turned into the CSR .req file by doing this:

certreq.exe -new "C:\inffile.inf" "C:\certreq.req"

The REQ file gets sent to the security team and they give me back a .CER file, which, when imported manually, actually adds three certificates from Digicert. The certificate I expect and what looks to be some intermediate CAs.

Here's what that looks like when imported via the MMC Certificates snapin.

If I import the certificate via the MMC like this it doesn't show up in the IIS manager under Server Certificates so I looked a little deeper. I tried to complete the certificate signing request via the the IIS manager like this and the cert shows up and I'm happy.

However, I can't use the GUI since I'm using a script.

I confirm that the request is in Certificate Enrollment Requests with the private key.

I confirm that the public key of the CSR and the p7b I got back provided are the same.

certutil -dump issuedcert.cer
certutil -dump certreq.req

PROBLEM: I exported the CSR from Certificate Enrollment Requests and looked at the public key. It was NOT the same as the one in issuedcert.cer. It looks like this is the problem but why?

I then try to use certreq.exe to accept the response and it doesn't work.

certreq.exe -accept -machine "C:\issuedcert.cer"

Almost done, but no. I continually receive this error message:

Answer 1

This error indicates that certreq was unable to find related request object in the Certificate Enrollment Requests node in the certificate store.

In addition, I would suggest to check whether the public key in the certificate request match the one in the issued certificate. You can use certutil -dump file.req command to dump request file (there will be public key) and cerutil -dump cert.cer to dump issued certificate and compare public keys. Do the same for each object in the Certificate Enrollment Requests node in the certificate store (focused on Local Machine context) to find request object with matching public key.