始終加密 - 證書不能用作列主密鑰

我想使用高級創建的證書創建一個新的列主密鑰。我使用以下命令在Windows Certificate Store - Local Machine.

New-SelfSignedCertificate -CertStoreLocation cert:\LocalMachine\My -DnsName TEST_CERT_01

問題是，當我嘗試選擇此證書時，出現以下錯誤：

誰能告訴證書有什麼問題？

請參閱本文的使用 PowerShell 創建自簽名證書部分。

要用作始終加密的 CMK，證書需要特定配置。

您應該能夠使用以下命令創建一個用作 CMK 的證書

New-SelfSignedCertificate is a Windows PowerShell cmdlet that creates a self-signed certificate. The below examples show how to generate a certificate that can be used as a column master key for Always Encrypted.
$cert = New-SelfSignedCertificate -Subject "AlwaysEncryptedCert" -CertStoreLocation Cert:CurrentUserMy -KeyExportPolicy Exportable -Type DocumentEncryptionCert -KeyUsage KeyEncipherment -KeySpec KeyExchange -KeyLength 2048 

# To create a certificate in the local machine certificate store location you need to run the cmdlet as an administrator.
$cert = New-SelfSignedCertificate -Subject "AlwaysEncryptedCert" -CertStoreLocation Cert:LocalMachineMy -KeyExportPolicy Exportable -Type DocumentEncryptionCert -KeyUsage KeyEncipherment -KeySpec KeyExchange -KeyLength 2048

這應該適用於 Server 2012，如果它不存在，則必須安裝 makecert 實用程序：

makecert.exe -n "CN=Always Encrypted Certificate - exported" -pe -sr CurrentUser -r -eku 1.3.6.1.5.5.8.2.2,1.3.6.1.4.1.311.10.3.11 -ss my -sky exchange -sp "Microsoft Strong Cryptographic Provider" -sy 1 -len 2048 -a sha256

引用自：https://dba.stackexchange.com/questions/176449