You try to import a Secure Sockets Layer (SSL) private key certificate (.pfx) file into the local computer personal certificate store. When you do this, you may experience one of the following symptoms depending on how you try to import the .pfx file:
- If you try to import the .pfx file by using Microsoft Internet Information Services (IIS) Manager, you receive the following error message:
Cannot import pfx file. Either you entered wrong password for this file or the
certificate has expired.
- If you try to import the .pfx file by using the Certificates Microsoft Management Console (MMC) snap-in, you receive the following error message:
An internal error occurred. This can be either the user profile is not accessible
or the private key that you are importing might require a cryptographic service
provider that is not installed on your system.
This behavior occurs when one or more of the following conditions are true:
- You have insufficient permissions to access the DriveLetter:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder
on the computer.
- A third-party registry subkey exists that prevents IIS from accessing the cryptographic service provider.
- You are logged on to the computer remotely through a Terminal Services session, and the user profile is not stored locally
on the server that has Terminal Services enabled.
To resolve this behavior, use one or more of the following methods, as appropriate for your situation.
Method 1: Set the correct permissions for the MachineKeys folder
If you have insufficient permissions to access the
DriveLetter:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder
on the computer, set the correct permissions for the folder.
For more information about how to set the permissions for the MachineKeys folder, click the following article number to view the article in the Microsoft Knowledge Base:
278381
(http://kbalertz.com/Feedback.aspx?kbNumber=278381/
)
Default permissions for the MachineKeys folders
Method 2: Delete the third-party registry subkey
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
If the following registry subkey exists, delete it:
HKEY_USERS\Default\Software\Microsoft\Cryptography\Providers\Type 001
After you delete this registry subkey, IIS can access the cryptographic service provider.
Method 3: Store the user profile for the Terminal Services session locally
If the user profile for the Terminal Services session is not stored locally on the server that has Terminal Services enabled, move the user profile to the server that has Terminal Services enabled. Alternatively, use roaming profiles. For more information about how to set up and administer user profiles, visit the following Microsoft Web site:
This behavior is by design.
Article ID: 919074 - Last Review: December 3, 2007 - Revision: 1.2
APPLIES TO
- Microsoft Internet Information Services 6.0
- Microsoft Internet Information Services 5.0
- Microsoft Internet Information Services 5.1