You receive an error message when you try to import an SSL private key certificate (.pfx) file into the local computer personal certificate store by using IIS Manager

Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows registry

Symptoms

You try to import a Secure Sockets Layer (SSL) private key certificate (.pfx) file into the local computer personal certificate store. When you do this, you may experience one of the following symptoms depending on how you try to import the .pfx file:
  • If you try to import the .pfx file by using Microsoft Internet Information Services (IIS) Manager, you receive the following error message:
    Cannot import pfx file. Either you entered wrong password for this file or the certificate has expired.
  • If you try to import the .pfx file by using the Certificates Microsoft Management Console (MMC) snap-in, you receive the following error message:
    An internal error occurred. This can be either the user profile is not accessible or the private key that you are importing might require a cryptographic service provider that is not installed on your system.

Cause

This behavior occurs when one or more of the following conditions are true:
  • You have insufficient permissions to access the DriveLetter:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder on the computer.
  • A third-party registry subkey exists that prevents IIS from accessing the cryptographic service provider.
  • You are logged on to the computer remotely through a Terminal Services session, and the user profile is not stored locally on the server that has Terminal Services enabled.

Resolution

To resolve this behavior, use one or more of the following methods, as appropriate for your situation.

Method 1: Set the correct permissions for the MachineKeys folder

If you have insufficient permissions to access the DriveLetter:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder on the computer, set the correct permissions for the folder. For more information about how to set the permissions for the MachineKeys folder, click the following article number to view the article in the Microsoft Knowledge Base:

278381 Default permissions for the MachineKeys folders

Method 2: Delete the third-party registry subkey

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

If the following registry subkey exists, delete it:
HKEY_USERS\Default\Software\Microsoft\Cryptography\Providers\Type 001
After you delete this registry subkey, IIS can access the cryptographic service provider.

Method 3: Store the user profile for the Terminal Services session locally

If the user profile for the Terminal Services session is not stored locally on the server that has Terminal Services enabled, move the user profile to the server that has Terminal Services enabled. Alternatively, use roaming profiles. For more information about how to set up and administer user profiles, visit the following Microsoft Web site:

Status

This behavior is by design.
Properties

Article ID: 919074 - Last Review: Dec 3, 2007 - Revision: 1

Feedback