Unable to upload/import UserPfxCertificate via GraphSDK or HTTP

[xForcer]

I am trying to upload/import a UserPFXCertificate but I always end up getting the same generic error message: {"error":{"code":"BadRequest","message":"{\r\n \"_version\": 3,\r\n \"Message\": \"An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: xxxxxxxxxxxxxxxxxxxxxxxxx - Url: https://fef.msub06.manage.microsoft.com/RACerts/StatelessImportPFXService/c3cbb42e-ffff-0609-0254-021917475559/deviceManagement/userPfxCertificates?api-version=5021-04-09\",\r\n \"CustomApiErrorPhrase\": \"\",\r\n \"RetryAfter\": null,\r\n \"ErrorSourceService\": \"\",\r\n \"HttpHeaders\": \"{}\"\r\n}","innerError":{"date":"2022-02-21T13:39:53","request-id":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxx","client-request-id":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}}}

I hid the request IDs. Let me know if it's needed

We tried checking for logs on the Intune or Azure side but we didn't find anything. I am creating the model and calling the post method like so:

var pfxCert = new X509Certificate2();
            pfxCert.Import("C:\\newCert2.pfx", "wHt0598x;Eva", X509KeyStorageFlags.DefaultKeySet);

            var securePassword = new SecureString();
            foreach (char c in "wHt0598x;Eva")
            {
                securePassword.AppendChar(c);
            }

            byte[] passwordArray = new byte[securePassword.Length];
            IntPtr secretCharPtr = IntPtr.Zero;
            char[] secretCharArray = new char[securePassword.Length];

            try
            {
                secretCharPtr = Marshal.SecureStringToGlobalAllocUnicode(securePassword);
                Marshal.Copy(secretCharPtr, secretCharArray, 0, secretCharArray.Length);
                for (int i = 0; i < securePassword.Length; i += 1)
                {
                    passwordArray[i] = (byte)secretCharArray[i];
                }
            }
            finally
            {
                Array.Clear(secretCharArray, 0, secretCharArray.Length);
                Marshal.ZeroFreeGlobalAllocUnicode(secretCharPtr);
            }

            string encryptedPasswordString = Convert.ToBase64String(passwordArray);

 var userPfxCertificate = new UserPFXCertificate
            {
                Thumbprint = pfxCert.Thumbprint.ToLowerInvariant(),
                IntendedPurpose = UserPfxIntendedPurpose.SmimeEncryption,
                UserPrincipalName = "username",
                StartDateTime = Convert.ToDateTime(pfxCert.GetEffectiveDateString(), CultureInfo.CurrentCulture),
                ExpirationDateTime = Convert.ToDateTime(pfxCert.GetExpirationDateString(), CultureInfo.CurrentCulture),
                ProviderName = "Microsoft Software Key Storage Provider",
                KeyName = "testKey1", 
                PaddingScheme = UserPfxPaddingScheme.OaepSha256,
                EncryptedPfxBlob = pfxCert.RawData,
                EncryptedPfxPassword = encryptedPasswordString,
                CreatedDateTime = DateTime.UtcNow,
                LastModifiedDateTime = DateTime.UtcNow,
            };

 await this.graphServiceClient.DeviceManagement.UserPfxCertificates.Request().AddAsync(userPfxCertificate)

I also tried calling the API with HTTP. I get the same error message

Note: If I use examples from https://github.com/MicrosoftDocs/IntuneDocs/blob/main/intune/protect/certificates-imported-pfx-configure.md to import the certificate via powershell script then it works fine..

Please give me any information on what I am doing wrong. I am pulling my hair since last week over this and I just cannot get the reason why the bad request...

I am using the latest Graph beta version

[xForcer]

The issue was in certificate already existing on Intune side. This was my bad, but I suggest having a better response message in the case user tries to import a certificate that's already existing on Intune instead of generic bad request

[maisarissi]

Hi @xForcer . Yes, we agree with you that the API should be providing a better response message to help users identify the error. Unfortunately, we in the Microsoft Graph SDK team do not have any ownership of the APIs to add the functionality you need. If you share your idea in the Microsoft 365 Developer Platform forum, it will be possible for others to add upvote and get routed to the appropriate team for them to triage. https://aka.ms/requestgraph

Closing this as non-actionable.