So to add (yet) fix/situation.

I had C# code that used BouncyCastle to create self-signed certificates.

<packages>
  <package id="BouncyCastle" version="1.8.1" targetFramework="net45" />

So my code created the certificates AND placed them in the correct locations in the Cert-Store.

Using the hints here, my install of On Premise Service Bus 1.1 was failing...and that led me here.

I ended up DELETING both certificates my BouncyCastle code had created (from the cert store) and reimporting them (with private keys)....and it all worked. I imported FIRST to the

Certificates (Local Computer) / Personal / Certificates

then I copied pasted (in the mmc) to any other places (stores) I needed them.

My "before" and "after" looked exactly the same from my eyes in MMC, BUT it fixed the issue. Go figure.

I my case the problem was that the CER file hasn't private key attached.

I've attached PK using those OpenSSL commands:

openssl x509 -in server.der -inform DER -out server.pem -outform PEM
openssl pkcs12 -export -in server.pem -inkey serverkey.pem -out server.p12

Works for CER/DER files.

The problem was in step 4. I was using the Thumbprint from the Root Certificate for the value in certhash. To solve this I had to go back to the MMC and refresh the Certificates(Local Computer) -->Personal -->Certificate folder. Then use the Thumbprint from the certificate that is "Issued By" the Root Certificate Authority.

I had the same error. The first time it occurred, as Micheal said, I had to move the certificate under Certificates(Local Computer) -->Personal -->Certificate folder. I had the same error when I imported the same certificate on another machine. The reason was that I was using certmgr.msc to import the certificate. . The window opened thus shows “Certificates – Current User”. Certificates imported using this window cause netsh to fail with the 1312 error. Make sure to use certificate snap-in in MMC to import certificates. The certificate snap-in from MMC shows “Certificates (Local Computer)”. This lets the netsh execution sail through.

In my case while creating the certificate I chose a different name than My for my Cert Store name. The default name is MY. So if yours is different append certstorename=Your provided store name to the command.

I had the same error when creating self signed certificate with OpenSSL(BouncyCastle) I resolved it with help from this post: Cannot export generated certificate with private key to byte array in .net 4.0/4.5

I had to add:

        RsaPrivateKeyStructure rsa = RsaPrivateKeyStructure.GetInstance(seq); //new RsaPrivateKeyStructure(seq);
        RsaPrivateCrtKeyParameters rsaparams = new RsaPrivateCrtKeyParameters(
            rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2, rsa.Coefficient);

        var rsaPriv = DotNetUtilities.ToRSA(rsaparams);

        var cspParams = new CspParameters
        {
            KeyContainerName = Guid.NewGuid().ToString(),
            KeyNumber = (int)KeyNumber.Exchange,
            Flags = CspProviderFlags.UseMachineKeyStore
        };

        var rsaPrivate = new RSACryptoServiceProvider(cspParams);**

        // Import private key from BouncyCastle's rsa
        rsaPrivate.ImportParameters(rsaPriv.ExportParameters(true));

        // Set private key on our X509Certificate2
        x509.PrivateKey = rsaPrivate;