Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Access denied error when using IIS Certificate Wizard to renew Thawte certificate

Posted on 2008-06-26
8
Medium Priority
?
3,778 Views
Last Modified: 2012-08-14
I currently have an SSL123 Thawte certificate on my Exchange server. It is set to expire soon, so I'm trying to renew it. I am using the IIS 6 Certificate Wizard to create the new Certificate Signing Request (CSR). When I get to the last screen with the summary of information that will be used and click next I get an error that says "Access is Denied."

I am able to remove the current certificate, reinstall the current certificate, but am unable to create a CSR for a new certificate or for a renewal. This happens if I choose to send it directly to Thawte or if I choose to create it in a file and save it to send later.

I've tried this while logged in as a domain administrator and the local administrator.

The only thing that I know of that has changed is that we had a domain controller that was our organization's CA crash. We haven't been able to restore it. We have other domain controllers, so that wasn't a big deal, but it was our only CA. Is this something that could be related?

There aren't any error messages in the event log.

Thanks,

Andrew
0
Comment
Question by:NCTETech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 37

Expert Comment

by:meverest
ID: 21881196
why do you want to generate a CSR for a renewal?  You should be able to just buy a cert with the new expiry date?

Cheers.
0
 

Author Comment

by:NCTETech
ID: 21883001
I thought that was how I remembered doing it in the past, but when I go to Thawte and choose to renew the certificate it tells me that I have to generate a new CSR.
0
 
LVL 37

Expert Comment

by:meverest
ID: 21889155
umm, yes - sorry I was thinking something completely different.

did you follow the certificat /renew/ wizard on the IIS? (i.e. not /create/ cert)

Cheers.
0
Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 

Author Comment

by:NCTETech
ID: 21891198
Yes, followed the renew wizard and everything looked fine until I got to the end. It presents the summary and when you press finish it should write a file called certreq.txt that has the CSR, but when I click finish, the wizard displays "access denied" instead of saying that the wizard was completed successfully.
0
 
LVL 37

Expert Comment

by:meverest
ID: 21892467
Hi,

during the process you should be able to choose where to save the request file - make sure that the location selected can be written to by everyone.

Cheers,
0
 

Author Comment

by:NCTETech
ID: 21892587
Yeah, I've tried multiple locations. I've even created a new file called certreq.txt manually in several locations without an error, but still receive this error. I assume that the rights that are required are for the user who is running the Wizard, not the IIS account or anything like that, right?
0
 
LVL 37

Assisted Solution

by:meverest
meverest earned 2000 total points
ID: 21892653
>> I assume that the rights that are required are for the user who is running the Wizard, not the IIS account or anything like that, right?

I just created one on my local server and the file came out with my user account as 'owner' - I tried to remove all rights to that folder except administrator, then saved again.

I got the access denied error (as expected) but got it when actually selecting the file path, not at the end.  When I just entered the path in the file dialog instead of using the browse function, the process completed without any error message - just that the file wasn't actually created.

So it seems that your issue is not one of permissions on the destination folder, but something else.

I suspect that the process is attemtping to open up some crypto library and /that/ is where access is failing.  I reckon that your best bet is to use some kinf of file monitor (look for 'filemon' with a search engine) and then analyse what file access is failing on.

Alternatively, you can enable audit on the entire system drive for all users and then look at the security log in the event viewer for failed access events.

Cheers.
0
 

Accepted Solution

by:
NCTETech earned 0 total points
ID: 21903351
Found this solution on a MS site and it worked for me.

Go to c:\documents and settings\all users\application data\microsoft\crypto\rsa\machinekeys

Go to properties - security, click on advanced.

Select the administrators group (which should have full access already), and change the setting from "this folder only" to "this folder, subfolder and files".

After that the certificate requests suddenly worked.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question