signtool fails to find certificate on Windows 10, due to private key filter

Question

I am the developer of UniversalADBDriver, a tool that creates a self signed Android USB driver on the user's computer.

Source code of installer and setup package: https://github.com/koush/UniversalAdbDriver

The tool generates a keypair and adds a certificate to the user's key store, then signs the driver files. This worked fine until Windows 10, where it inexplicably stopped working. I ran the command line manually:

The following certificates were considered:
    Issued to: UniversalADB
    Issued by: UniversalADB
    Expires:   Fri Aug 25 17:00:00 2017
    SHA1 hash: C8701DF4CDC7DD75813400AD2B3B4C2EFDA4E662

After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.

On Windows 10, the certificate is being filtered out by the "Private Key filter". No idea what that is, no documentation anywhere on it.

UPDATE

I've discovered that neither makecert.exe or X509Store.add can write certificates/keys to the Current User store when invoked through the installer on Windows 10. However, the certificates in the Local Machine store are placed correctly. I'm not sure why that is. So basically, the private key is not being placed in the store properly so the signature fails. Running the same steps manually on the command line works. I still need to figure out why the private key is not being persisted in the store however.

Answer 1

I was using BouncyCastle to generate a certificate programatically. For some reason, this certificate does not seem to work anymore on Windows 10. I switched to packaging makecert.exe for the certificate generation, and that seemed to fix it.