A Secure Sockets Layer, also known as an SSL, is a standard security technology for establishing an encrypted link between a server and a client. Manipulating isn’t all that easy, and it can usually result in error messages if not done right.
One good example is when you try to import a Secure Sockets Layer (SSL) private key certificate file into the local computer personal certificate store.
Many users reported having issues when trying to do so, and have reported receiving the following error message:
An internal error occurred. This can be either the user profile is not accessible or the private key that you are importing might require a cryptographic service provider that is not installed on your system.
Luckily enough, there are solutions to these problems, and we have listed them in a step-by-step manner below.
Note: This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article.
How do I import an SSL private key without errors?
According to Microsoft, there are 3 main causes for why this error occurs:
- You have insufficient permissions to access the following folders:
- Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
- A third-party registry subkey exists that prevents IIS from accessing the cryptographic service provider
- You are logged on to the computer remotely through a Terminal Services session, and the user profile is not stored locally on the server that has Terminal Services enabled.
As you can imagine, by knowing what causes the issue, it is now easy to figure out what the logical fixes are.
1. Reset permissions for the MachineKeys folder
- Right-click the MachineKeys folder
- Click Advanced on the Security tab
- Click View/Edit
- Select the Reset Permissions on all Child objects and enable propagation of inheritable permissions checkbox
2. Delete the third-party registry subkey
- Press Windows + R
- Type in regedit.exe
- This will open the Registry Editor
- If the following registry subkey exists, delete it:
- HKEY_USERS\Default\Software\Microsoft\Cryptography\Providers\Type 001
3. Store the user profile for the Terminal Services session locally
If this seems to be the case, ask your IT administrator to simply move the user profile to the server that has Terminal Services enabled. Alternatively, you can also use roaming profiles.
By following these steps, you should now be able to import an SSL private key certificate file into the local computer personal certificate store without any more error messages.
If you’re aware of a solution we may have missed out on, share it in the comments section below so that other users can try it, as well.