Microsoft KB Archive/919074

= You receive an error message when you try to import an SSL private key certificate (.pfx) file into the local computer personal certificate store by using IIS Manager =

Article ID: 919074

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Internet Information Services 6.0
 * Microsoft Internet Information Services 5.0
 * Microsoft Internet Information Services 5.1

-



Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SYMPTOMS
You try to import a Secure Sockets Layer (SSL) private key certificate (.pfx) file into the local computer personal certificate store. When you do this, you may experience one of the following symptoms depending on how you try to import the .pfx file:  If you try to import the .pfx file by using Microsoft Internet Information Services (IIS) Manager, you receive the following error message:

Cannot import pfx file. Either you entered wrong password for this file or the certificate has expired.

 If you try to import the .pfx file by using the Certificates Microsoft Management Console (MMC) snap-in, you receive the following error message:

An internal error occurred. This can be either the user profile is not accessible or the private key that you are importing might require a cryptographic service provider that is not installed on your system.





CAUSE
This behavior occurs when one or more of the following conditions are true:
 * You have insufficient permissions to access the :\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder on the computer.
 * A third-party registry subkey exists that prevents IIS from accessing the cryptographic service provider.
 * You are logged on to the computer remotely through a Terminal Services session, and the user profile is not stored locally on the server that has Terminal Services enabled.



RESOLUTION
To resolve this behavior, use one or more of the following methods, as appropriate for your situation.

Method 1: Set the correct permissions for the MachineKeys folder
If you have insufficient permissions to access the :\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder on the computer, set the correct permissions for the folder. For more information about how to set the permissions for the MachineKeys folder, click the following article number to view the article in the Microsoft Knowledge Base:

278381 Default permissions for the MachineKeys folders

Method 2: Delete the third-party registry subkey
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

If the following registry subkey exists, delete it:

After you delete this registry subkey, IIS can access the cryptographic service provider.

Method 3: Store the user profile for the Terminal Services session locally
If the user profile for the Terminal Services session is not stored locally on the server that has Terminal Services enabled, move the user profile to the server that has Terminal Services enabled. Alternatively, use roaming profiles. For more information about how to set up and administer user profiles, visit the following Microsoft Web site:

http://technet2.microsoft.com/WindowsServer/en/library/23ee2a30-5883-4ffa-b4cf-4cfff3ff8cb71033.mspx



STATUS
This behavior is by design.

Keywords: kbtshoot kbprb KB919074

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.