Hi,
This is a bit of a long story but I hope someone can give us some guidance.
We use authentication certificates issued from our own Enterprise CA to control user and machine authentication via RADIUS/NPS for our wireless network. Certificates are deployed via group policy/autoenrollment. In general this works well but we have an intermittent problem where user authentication stops working for a user who was fine before. The user certificate looks OK via Certmgr (shows as valid, shows that there is a private key associated with the certificate). The NPS server logs show that the machine has been authenticated and granted access, but the user in this situation doesn't show up in the server logs at all.
The only solution in this case is to connect to the wired network and request a new certificate for the user (either via certmgr or just by deleting the duff cert and logging off/on again to get the cert via autoenrollment).
The interesting thing is that while a "working" certificate can be exported with no problem, a duff certificate cannot be exported with its private key, giving the error "key not valid for use in specified state". (Obviously the certificates come from the same template, and the key is not marked unexportable). The key files are present in %userprofile%\Appdata\Roaming\Microsoft\Crypto\RSA and the user permissions on these files look correct.
After much searching of the forums I tried running certutil-repairstore on the duff certificate and that also returned the same error. I also tried an undocumented switch Certutil -user -key -v and again, got a very similar error "Loadkeys returned key not valid for use in specified state. 0x8009000b (-2146893813)".
I'm assuming that the fact that the key is unexportable/corrupt is also the reason why the certificate can no longer be used for authentication.
Does anyone have any clues as to what might be causing this, and/or if a certificate with a key in this state can be repaired?
Thanks!