Error: 0x00000046 - when requesting certificates

  • Thread starter Thread starter DJH
  • Start date Start date
D

DJH

Hey,

We have an internal PKI utilising an offlint root and policy server, and an
AD integrated enterprise issuing server. We've distributed our root
certificate via a GPO to all workstations/servers in AD.

We have a number of certifcate templates for SSL certs. We permission these
with Role groups to define who can request and modify the certs.

We have one problematic box, when requesting a certificate via
servername\certsrv we get a permission denied error:

"An error occurred while creating the certificate request. Please verify
that your CSP supports any settings you have made and that your input is
valid.
Suggested cause:
You do not have write permission to save the file to the path
Error: 0x00000046 - Permission Denied"

The request is for a generic SSL certificate so that a secure channel can be
used to communicate between 2 boxes. The certificate request never reaches
the enterprise issuing server (no record of failed request). The error
message indicates a permission issue, but the way we permission the templates
is such that you wont see the cert via the web interface if your not a member
of the group which can request this certificate type. The user requesting the
certificate is a member of builtin\administrators of the box requesting the
certificate.

Anyone have any suggestions?
 
Found it!

Permissions on the local certificate store were incorrect. for some reason
administrators only had read!

Local certificate store location:
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys

"DJH" wrote:

> Hey,
>
> We have an internal PKI utilising an offlint root and policy server, and an
> AD integrated enterprise issuing server. We've distributed our root
> certificate via a GPO to all workstations/servers in AD.
>
> We have a number of certifcate templates for SSL certs. We permission these
> with Role groups to define who can request and modify the certs.
>
> We have one problematic box, when requesting a certificate via
> servername\certsrv we get a permission denied error:
>
> "An error occurred while creating the certificate request. Please verify
> that your CSP supports any settings you have made and that your input is
> valid.
> Suggested cause:
> You do not have write permission to save the file to the path
> Error: 0x00000046 - Permission Denied"
>
> The request is for a generic SSL certificate so that a secure channel can be
> used to communicate between 2 boxes. The certificate request never reaches
> the enterprise issuing server (no record of failed request). The error
> message indicates a permission issue, but the way we permission the templates
> is such that you wont see the cert via the web interface if your not a member
> of the group which can request this certificate type. The user requesting the
> certificate is a member of builtin\administrators of the box requesting the
> certificate.
>
> Anyone have any suggestions?
 
Back
Top