Menu
I'm working with a support person who is supposed to be able to install SSL certs on a web server he maintains. He has local admin rights to the server via a domain security group. He also has permissions on our internal CA running Windows 2003 Server Certificate Authority: "Request cert" and "Issue and Manage certs".
The server he's working with is running Windows 2000 SP4 / IIS 5. When he attempts to create an online server cert the IIS wizard ends with "Failed to install. Access is Denied.". The event viewer is not working properly, so I can't find any details there. I suspect the permission issue is locally and not with the CA.
My account is a domain admin account and I know I am able to do this operation, however I need to make this work for others that are not domain admins.
Any ideas why he can't perform this operation?
377
I had this exact same issue a few months ago when I was setting up a cert for a client.
There's a MachineKeys folder that the Administrator need rights -
\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
Give Administrator (or the Administrator group) Full Control over this directory. I don't think you have to restart IIS, but it never hurts.
I have no idea why Admin doesn't control this as default. Once this is changed, the Certificate Creation Wizard will successfully generate the certificate request.
There's even a Microsoft KB article about it: http://support.microsoft.com/kb/908572
87
answered Oct 29 '25 05:10
If you're renewing a certificate, then it's possible that you imported your new intermediate certificate (.pb7) before removing your existing (expired) certificate from IIS. You would get an access denied error because both the old and new certificates are for the same domain.
So by the time you get this access denied error, there are three things you must do.
41
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
