Uploading Certificate to Windows Azure Management Portal using CSUPLOAD Error - "Key not valid for use in specified state"

Recently I was working with someone on Windows Azure SDK 1.5 and VM Role deployment. While trying to upload certificate to Windows Azure Management Portal, the error occurred as below:

 C:\Program Files\Windows Azure SDK\v1.5\bin>csupload add-servicecertificate -Connection "SubscriptionID=<Subscription_ID>;CertificateThumbprint=<MGMT_CERT_THUMBPRINT>" -HostedServiceName "testcodewp" -Thumbprint "b28daea93e520d85391987c6a6efb52be9278195"
 Windows(R) Azure(TM) Upload Tool version 1.5.0.0
 for Microsoft(R) .NET Framework 3.5
 Copyright (c) Microsoft Corporation. All rights reserved.
 
 arg[0]="add-servicecertificate"
 arg[1]="-Connection"
 arg[2]="******************"
 arg[3]="-HostedServiceName"
 arg[4]="testcodewp"
 arg[5]="-Thumbprint"
 arg[6]="b28daea93e520d85391987c6a6efb52be9278195"
 Uploading service certificate to 'testcodewp'.
 Error trying to access certficate. The most likely cause is the private
 key is not exportable. Please reimport the certficate with the
 private key marked exportable or use the -PublicKeyOnly option if you
 do not wish to upload the private key.
 Detail: Key not valid for use in specified state.
 
 System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.
 
 at System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr)
 at System.Security.Cryptography.X509Certificates.X509Utils._ExportCertificatesToBlob(SafeCertStoreHandle safeCertStoreHandle, X509ContentType contentType, IntPtr password)
 at System.Security.Cryptography.X509Certificates.X509Certificate.ExportHelper(X509ContentType contentType, Object password)
 at Microsoft.WindowsAzure.ServiceManagementClient.CloudManagmentClient.<>c__DisplayClass49.<AddCertificate>b__48(IServiceManagement channel, String subId)
 at Microsoft.WindowsAzure.ServiceManagementClient.CloudManagmentClient.<>c__DisplayClass4f.<DoAsyncOperation>b__4e(IServiceManagement x, String y)
 at Microsoft.WindowsAzure.ServiceManagementClient.CloudManagmentClient.DoOperation[T](Func`3 f, String& trackingId)
 at Microsoft.WindowsAzure.ServiceManagementClient.CloudManagmentClient.DoAsyncOperation(Action`2 act)
 at Microsoft.WindowsAzure.Tools.CsUpload.ProgramCommands.<>c__DisplayClass2a.<AddServiceCertificateAction>b__25(CloudManagmentClient client)
 at Microsoft.WindowsAzure.Tools.CsUpload.ProgramCommands.TryClientAction(CloudManagmentAccount account, Action`1 act)
 at Microsoft.WindowsAzure.Tools.CsUpload.ProgramCommands.AddServiceCertificateAction(IList`1 args, IDictionary`2 switches)
 

Based on error message it was clear that the certificate I had does not support private key export. So just to test I used option –PublicKeyOnly as below and it did worked:

 C:\Program Files\Windows Azure SDK\v1.5\bin>csupload add-servicecertificate -Connection "SubscriptionID=<SUBSCRIPTION_ID>;CertificateThumbprint=<MGMT_CERT_THUMBPRINT>" -HostedServiceName "testcodewp"
 -Thumbprint "b28daea93e520d85391987c6a6efb52be9278195" -PublicKeyOnly
 Windows(R) Azure(TM) Upload Tool version 1.5.0.0
 for Microsoft(R) .NET Framework 3.5
 Copyright (c) Microsoft Corporation. All rights reserved.
 
 arg[0]="add-servicecertificate"
 arg[1]="-Connection"
 arg[2]="*********************"
 arg[3]="-HostedServiceName"
 arg[4]="testcodewp"
 arg[5]="-Thumbprint"
 arg[6]="b28daea93e520d85391987c6a6efb52be9278195"
 arg[7]="-PublicKeyOnly"
 Uploading service certificate to 'testcodewp'.
 Service certificate upload complete.
 FriendlyName :
 Thumbprint : B28DAEA93E520D85391987C6A6EFB52BE9278195
 Subject : CN=Avkash Windows Azure Account
 IssuedBy : CN=Avkash Windows Azure Account
 ValidFrom : 12/31/2010 11:00:00 PM
 ValidTo : 12/31/2014 11:00:00 PM
 HasPrivateKey : False
 

When you use Windows Azure tool (in publish wizard) to create certificate, the private key is exportable in all the certificates. This could happen only:

- When you created your own certificate and you have missed to add option to make private key exportable

- You got a certificate which does not have exportable private key

 

If you have created your own certificate using makecert then please add the –“pe” option.

Learn more @ https://blogs.msdn.com/b/avkashchauhan/archive/2011/09/21/how-to-generate-2048-bit-certificate-with-makecert-exe.aspx