Problem installing a certificate from Certificate Server on Windows 2000

Hello experts,

I'm having a problem obtaining a certificate from a CA running Certificate Services on a Windows 2000 box. Certificate Services has been installed as a stand alone root CA.

My ultimate goal is to encrypt SQL Server traffic. To that end, I'm following the directions found here: 

To summerize, this document assumes you have a Certificate Server already installed and running. First, you open http://CertServerName/certsrv/ and request a certificate. Once you have it installed, you verify that it is installed using the Certificates snap in for the MMC.

I've followed the directions to request the certificate. I've also figured out that, because my certificate server is installed as a stand alone server instead of an enterprise server, I need to go to Start --> Programs --> Administrative Tools --> Certification Authority, find the certificate, and Issue it. When I go back to http://CertServerName/certsrv/, find the certificate, and click "Install this certificate", it says the certificate was installed successfully.

But here's my problem: when I go to verify that the certificate exists using MMC, it isn't there. From the documentation above: "Your installed certificates are located in the Certificates folder in the Personal container."  But the Personal container is empty. There are no installed certificates.

Any ideas what is going on here? Am I missing any important relevant information?

Thanks for your help,

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ckilianAuthor Commented:
After hours of beating my head against a wall, for repeated and multiple issues, I finally figured it out.

The problem was the instructions I was following. They made several assumptions without explaining that there were assumptions being made. And finally, for the problem I wrote you about, they were just plain wrong. They missed a step.

First, I tried following these instructions (, which assume that you have a certificate server set up on your network without ever explicitly saying that. If you don't have a certificate server (also called a Certificate Authority, or CA) already set up, you'll get "Windows cannot find a certification authority to process the request." If you google search that error, you're likely to come across an MSDN article (;en-us;Q271861) that suggests that you need to change some rights on your domain controller, but never mentions that you could be getting that error because you actually don't have a certificate server set up at all. It also doesn't mention that the article applies to Certificate Services. It actually doesn't mention anything whatsoever about certificate services, even though certificate services is an integral to making those instructions have any effect whatsoever.

Furthermore, the first set of instructions are assuming not only that you have a certificate server set up, but also that the certificate server is set up in Enterprise mode, even though you can also install Certificate Server in Stand Alone mode. If you do happen to have a certifiate server set up already, but it is installed in stand alone mode, the instructions using MMC simply will not work. You have to go through a website being run from the certificate services computer instead.

Which is yet ANOTHER thing they never mention: Certificate Services requires IIS. Fortunately, I already had IIS installed. Unfortunately, I would've assigned IP addresses differently and installed things in a different order had I known that ahead of time, but it turned out that it wasn't a big deal and I could work around it.

Second, I tried following these instructions (, which assume less but still assume a lot. For one thing, it still assumes you've set up your certificate server in Enterprise mode. From that page:

7. Leave all other items as the default. Click Submit.
8. The last page presents you with a Certificate to Install hyperlink. Click Install this certificate.

Well guess what? If you click submit as per #7, and your certificate server is configured in stand alone mode, you don't get a link to install. Instead it tells you to check back in a few days. Then you have to go to the certificate server, fire up Certificate Services, right click on the certificate request, and choose Issue. THEN you go back to http://certserver/certsrv/ and choose to view the status of your pending requests. THEN you can click install.

Of course, EVEN IF you do that, it won't work. Because instruction #7 above was wrong. You shouldn't leave all the other items as default. You should also check "Use local certificate store" -- which you must have administrator rights to use. If you don't check that box, the certificate doesn't show up in the MMC Certificates screen, because it is installed into IE's certificate store instead of being installed into the computer's certificate store.

That's right. The problem that I initially wrote about was happening because the instructions had it installing the certificate into IE instead of into the computer-wide certificate store.

But until I figured that out, I spent several frustrating hours reading my documentation. Specifically:

"To verify that your certificate installation is correct, use either the MMC Certificate snap-in to verify the certificates or use the CertUtil.exe tool that is installed on the certificate server to list the certificates. To load the MMC Certificate snap-in, follow these steps ... " 

I followed those steps, and the certificate wasn't there (because of faulty instructions, but I've covered that). So there was something wrong. Obviously, the author of the instructions foresaw the very real possibility that something might go wrong, or else s/he wouldn't have left instructions on how to verify that everything had worked. But doesn't it make sense that if you think something might go wrong, you should leave instructions on how to fix anything that goes wrong? Perhaps links to other documents, for example. But no. Basically, the document reads:

1. Follow this series of complicated steps.
2. Verify that the steps worked. If they didn't, uh ... Hey look! A bird!
3. So now that everything worked...

I've been working on this problem for days, and the reality is I could've had it done in hours if I'd had decent documentation. I also could've estimated my time better.

I'm hoping that Experts Exchange can leave this answer up, because this post has a lot of information in one place that apparently exists only in scattered form elsewhere on the Internet.  Hopefully I can help someone by having all the errors and corrections to faulty documentation in one place.
Very nice summary. As I'm about to do something similar its well-timed to. Well done.

Can you award yourself the points !? :-D
If it's any consolation, I've alerted the folks responsible for those KB articles that they should consult your response here, and clarify the articles in question.
PAQed with points refunded (500)

Community Support Moderator

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.