What are the prerequisites for a certificate for the IIS Centralized Certificate Store?

IIS Centralized Certificate Store (CCS) seems to be a good solution for not having to import certificates and selecting them for a specific link in IIS.

Unfortunately, it seems that there are prerequisites for the certificates, which are not well documented and cause the certificates not to be collected, here are my observations:

  • Certificates exported from MMC (if imported through MMC before) work.
  • The certificates issued by Let-Encrypt do not work – the Chain seems to be missing
  • Certificates that are read with powershell and are written via Export-PFXCertificate -ChainOption BuildChain Have the chain, but they are not working either.
  • Certificates imported through PowerShell and exported through MMC do not work either.
  • Certificates exported through MMC are approximately 150 bytes smaller than those exported through PowerShell

So, what are the requirements for those certificates?
Why does import / export work through MMC, but import / export of PowerShell does not work?
What's missing?
How to solve that with a simple script?