Problem installing a certificate from Certificate Server on Windows 2000

Posted on 2004-11-24
Last Modified: 2013-12-04
Hello experts,

I'm having a problem obtaining a certificate from a CA running Certificate Services on a Windows 2000 box. Certificate Services has been installed as a stand alone root CA.

My ultimate goal is to encrypt SQL Server traffic. To that end, I'm following the directions found here:

To summerize, this document assumes you have a Certificate Server already installed and running. First, you open http://CertServerName/certsrv/ and request a certificate. Once you have it installed, you verify that it is installed using the Certificates snap in for the MMC.

I've followed the directions to request the certificate. I've also figured out that, because my certificate server is installed as a stand alone server instead of an enterprise server, I need to go to Start --> Programs --> Administrative Tools --> Certification Authority, find the certificate, and Issue it. When I go back to http://CertServerName/certsrv/, find the certificate, and click "Install this certificate", it says the certificate was installed successfully.

But here's my problem: when I go to verify that the certificate exists using MMC, it isn't there. From the documentation above: "Your installed certificates are located in the Certificates folder in the Personal container."  But the Personal container is empty. There are no installed certificates.

Any ideas what is going on here? Am I missing any important relevant information?

Thanks for your help,

Question by:ckilian

    Author Comment

    After hours of beating my head against a wall, for repeated and multiple issues, I finally figured it out.

    The problem was the instructions I was following. They made several assumptions without explaining that there were assumptions being made. And finally, for the problem I wrote you about, they were just plain wrong. They missed a step.

    First, I tried following these instructions (, which assume that you have a certificate server set up on your network without ever explicitly saying that. If you don't have a certificate server (also called a Certificate Authority, or CA) already set up, you'll get "Windows cannot find a certification authority to process the request." If you google search that error, you're likely to come across an MSDN article (;en-us;Q271861) that suggests that you need to change some rights on your domain controller, but never mentions that you could be getting that error because you actually don't have a certificate server set up at all. It also doesn't mention that the article applies to Certificate Services. It actually doesn't mention anything whatsoever about certificate services, even though certificate services is an integral to making those instructions have any effect whatsoever.

    Furthermore, the first set of instructions are assuming not only that you have a certificate server set up, but also that the certificate server is set up in Enterprise mode, even though you can also install Certificate Server in Stand Alone mode. If you do happen to have a certifiate server set up already, but it is installed in stand alone mode, the instructions using MMC simply will not work. You have to go through a website being run from the certificate services computer instead.

    Which is yet ANOTHER thing they never mention: Certificate Services requires IIS. Fortunately, I already had IIS installed. Unfortunately, I would've assigned IP addresses differently and installed things in a different order had I known that ahead of time, but it turned out that it wasn't a big deal and I could work around it.

    Second, I tried following these instructions (, which assume less but still assume a lot. For one thing, it still assumes you've set up your certificate server in Enterprise mode. From that page:

    7. Leave all other items as the default. Click Submit.
    8. The last page presents you with a Certificate to Install hyperlink. Click Install this certificate.

    Well guess what? If you click submit as per #7, and your certificate server is configured in stand alone mode, you don't get a link to install. Instead it tells you to check back in a few days. Then you have to go to the certificate server, fire up Certificate Services, right click on the certificate request, and choose Issue. THEN you go back to http://certserver/certsrv/ and choose to view the status of your pending requests. THEN you can click install.

    Of course, EVEN IF you do that, it won't work. Because instruction #7 above was wrong. You shouldn't leave all the other items as default. You should also check "Use local certificate store" -- which you must have administrator rights to use. If you don't check that box, the certificate doesn't show up in the MMC Certificates screen, because it is installed into IE's certificate store instead of being installed into the computer's certificate store.

    That's right. The problem that I initially wrote about was happening because the instructions had it installing the certificate into IE instead of into the computer-wide certificate store.

    But until I figured that out, I spent several frustrating hours reading my documentation. Specifically:

    "To verify that your certificate installation is correct, use either the MMC Certificate snap-in to verify the certificates or use the CertUtil.exe tool that is installed on the certificate server to list the certificates. To load the MMC Certificate snap-in, follow these steps ... "

    I followed those steps, and the certificate wasn't there (because of faulty instructions, but I've covered that). So there was something wrong. Obviously, the author of the instructions foresaw the very real possibility that something might go wrong, or else s/he wouldn't have left instructions on how to verify that everything had worked. But doesn't it make sense that if you think something might go wrong, you should leave instructions on how to fix anything that goes wrong? Perhaps links to other documents, for example. But no. Basically, the document reads:

    1. Follow this series of complicated steps.
    2. Verify that the steps worked. If they didn't, uh ... Hey look! A bird!
    3. So now that everything worked...

    I've been working on this problem for days, and the reality is I could've had it done in hours if I'd had decent documentation. I also could've estimated my time better.

    I'm hoping that Experts Exchange can leave this answer up, because this post has a lot of information in one place that apparently exists only in scattered form elsewhere on the Internet.  Hopefully I can help someone by having all the errors and corrections to faulty documentation in one place.
    LVL 5

    Expert Comment

    Very nice summary. As I'm about to do something similar its well-timed to. Well done.

    Can you award yourself the points !? :-D
    LVL 4

    Expert Comment

    If it's any consolation, I've alerted the folks responsible for those KB articles that they should consult your response here, and clarify the articles in question.

    Accepted Solution

    PAQed with points refunded (500)

    Community Support Moderator

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    This video discusses moving either the default database or any database to a new volume.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now