Access denied error when using IIS Certificate Wizard to renew Thawte certificate

I currently have an SSL123 Thawte certificate on my Exchange server. It is set to expire soon, so I'm trying to renew it. I am using the IIS 6 Certificate Wizard to create the new Certificate Signing Request (CSR). When I get to the last screen with the summary of information that will be used and click next I get an error that says "Access is Denied."

I am able to remove the current certificate, reinstall the current certificate, but am unable to create a CSR for a new certificate or for a renewal. This happens if I choose to send it directly to Thawte or if I choose to create it in a file and save it to send later.

I've tried this while logged in as a domain administrator and the local administrator.

The only thing that I know of that has changed is that we had a domain controller that was our organization's CA crash. We haven't been able to restore it. We have other domain controllers, so that wasn't a big deal, but it was our only CA. Is this something that could be related?

There aren't any error messages in the event log.

Thanks,

Andrew
NCTETechAsked:
Who is Participating?
 
NCTETechConnect With a Mentor Author Commented:
Found this solution on a MS site and it worked for me.

Go to c:\documents and settings\all users\application data\microsoft\crypto\rsa\machinekeys

Go to properties - security, click on advanced.

Select the administrators group (which should have full access already), and change the setting from "this folder only" to "this folder, subfolder and files".

After that the certificate requests suddenly worked.
0
 
meverestCommented:
why do you want to generate a CSR for a renewal?  You should be able to just buy a cert with the new expiry date?

Cheers.
0
 
NCTETechAuthor Commented:
I thought that was how I remembered doing it in the past, but when I go to Thawte and choose to renew the certificate it tells me that I have to generate a new CSR.
0
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

 
meverestCommented:
umm, yes - sorry I was thinking something completely different.

did you follow the certificat /renew/ wizard on the IIS? (i.e. not /create/ cert)

Cheers.
0
 
NCTETechAuthor Commented:
Yes, followed the renew wizard and everything looked fine until I got to the end. It presents the summary and when you press finish it should write a file called certreq.txt that has the CSR, but when I click finish, the wizard displays "access denied" instead of saying that the wizard was completed successfully.
0
 
meverestCommented:
Hi,

during the process you should be able to choose where to save the request file - make sure that the location selected can be written to by everyone.

Cheers,
0
 
NCTETechAuthor Commented:
Yeah, I've tried multiple locations. I've even created a new file called certreq.txt manually in several locations without an error, but still receive this error. I assume that the rights that are required are for the user who is running the Wizard, not the IIS account or anything like that, right?
0
 
meverestConnect With a Mentor Commented:
>> I assume that the rights that are required are for the user who is running the Wizard, not the IIS account or anything like that, right?

I just created one on my local server and the file came out with my user account as 'owner' - I tried to remove all rights to that folder except administrator, then saved again.

I got the access denied error (as expected) but got it when actually selecting the file path, not at the end.  When I just entered the path in the file dialog instead of using the browse function, the process completed without any error message - just that the file wasn't actually created.

So it seems that your issue is not one of permissions on the destination folder, but something else.

I suspect that the process is attemtping to open up some crypto library and /that/ is where access is failing.  I reckon that your best bet is to use some kinf of file monitor (look for 'filemon' with a search engine) and then analyse what file access is failing on.

Alternatively, you can enable audit on the entire system drive for all users and then look at the security log in the event viewer for failed access events.

Cheers.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.