T
Todd Day
[Workaround below]
When installing an IPSec certificate to the Local Machine Store, I get
the following error -
Unable to install the certificate:
Error: 0x80090016
Using the MMC snapins, it appears that the certificate made it, but
the private key did not. Actually, the certificate claims to have an
associated private key, but I know that is a lie because during IKE
negotiations, this certificate is not seen as valid.
The certificate will install properly if I don't check the box to
store in in the Local Store. Then I try to use the MMC tool to move
the certificate from my User Store to the Local Store. Well, the
certificate makes it, but the private key does not. The certificate
will claim that the private key is there, but it did not get properly
moved. THE BUG IN THE LAST SENTENCE HAS BEEN AROUND SINCE AT LEAST
MAY, BUT STILL HAS NOT BEEN FIXED!
This 0x80090016 error occured on two of my WinXP Home machines. It
also occured on a couple WinXP Pro machines in my Win2k3 domain, but
not all of them. It worked okay on the one Win2k machine in my domain
that I tried. All of these machines (with and without the bug) had
been patched with the IPsec/NAT-T patch.
The workaround for this error (only tested on one machine as I write
this) is to request a cert WITH AN EXPORTABLE KEY, but do not request
a Local Machine Store key. You will get a User Store key instead,
with the full CA path as bonus. This key should install properly with
no problems.
Then use the MMC tool with the Certificate snap-in loaded twice. Once
for the Computer, once for the User. Find the User key you just
installed, in the Personal section. Export the cert, including your
private key. If you do not get the option to also export the private
key, then you messed up in your original request on the website.
Select the PFX format and include all cert paths, deselect strong
protection. Type in a password for the exported cert. Save it.
Now right-click on the Personal folder of the Local Computer section
and import the key you just exported. It defaults to the Personal
store - that means "Personal" of the Local Computer, which is what you
want.
Now you should see both the Cert you started with plus the Cert of the
machine you got your cert from (the CA cert). The name of the CA cert
should match the "issued by" field of your cert. Drag the CA cert
(not your cert) into the "Trusted Root Cert Auth" folder. DONE! Open
your personal cert and make sure there aren't any red marks on it on
any of the tabs indicating a problem.
Ugh. What BS. You know, even if this bug did not exist, the Cert Web
Services are still broken. They will not ever install the CA cert
that you get your cert from in the Local Machine Trusted Root. The
best that will happen is that it ends up in the "Intermediate
Certification Auth" folder, which is useless, as far as I can tell. I
cannot get IPsec to work unless my CA cert is trusted.
Just how in the hell are normal users supposed to use this Cert
Services webtool? I can barely make heads or tails of it all as an
administrator! Why isn't there just a button that says, "Request
IPsec Cert", which then just installs everything automagically where
it is supposed to go? Especially if the user has admin privs on their
own machine, why not let that happen?
Also, with the MMC snapins... when I drag a cert from one bin to
another, and the cert has been marked with an exportable private key,
why the heck doesn't the tool move everything for me as if I went
through the export/import hell written above? Also, if moving a cert
is going to cause me the loss of the private key, how come the tool is
not warning me about this?
Argh... I was having to set up a multi-page document with about 40
screen shots to distribute to users to get them set up for remote
access, and that was *BEFORE* this bug. This is f-ing ridiculous, and
needs to be massively simplified.
-todd-
When installing an IPSec certificate to the Local Machine Store, I get
the following error -
Unable to install the certificate:
Error: 0x80090016
Using the MMC snapins, it appears that the certificate made it, but
the private key did not. Actually, the certificate claims to have an
associated private key, but I know that is a lie because during IKE
negotiations, this certificate is not seen as valid.
The certificate will install properly if I don't check the box to
store in in the Local Store. Then I try to use the MMC tool to move
the certificate from my User Store to the Local Store. Well, the
certificate makes it, but the private key does not. The certificate
will claim that the private key is there, but it did not get properly
moved. THE BUG IN THE LAST SENTENCE HAS BEEN AROUND SINCE AT LEAST
MAY, BUT STILL HAS NOT BEEN FIXED!
This 0x80090016 error occured on two of my WinXP Home machines. It
also occured on a couple WinXP Pro machines in my Win2k3 domain, but
not all of them. It worked okay on the one Win2k machine in my domain
that I tried. All of these machines (with and without the bug) had
been patched with the IPsec/NAT-T patch.
The workaround for this error (only tested on one machine as I write
this) is to request a cert WITH AN EXPORTABLE KEY, but do not request
a Local Machine Store key. You will get a User Store key instead,
with the full CA path as bonus. This key should install properly with
no problems.
Then use the MMC tool with the Certificate snap-in loaded twice. Once
for the Computer, once for the User. Find the User key you just
installed, in the Personal section. Export the cert, including your
private key. If you do not get the option to also export the private
key, then you messed up in your original request on the website.
Select the PFX format and include all cert paths, deselect strong
protection. Type in a password for the exported cert. Save it.
Now right-click on the Personal folder of the Local Computer section
and import the key you just exported. It defaults to the Personal
store - that means "Personal" of the Local Computer, which is what you
want.
Now you should see both the Cert you started with plus the Cert of the
machine you got your cert from (the CA cert). The name of the CA cert
should match the "issued by" field of your cert. Drag the CA cert
(not your cert) into the "Trusted Root Cert Auth" folder. DONE! Open
your personal cert and make sure there aren't any red marks on it on
any of the tabs indicating a problem.
Ugh. What BS. You know, even if this bug did not exist, the Cert Web
Services are still broken. They will not ever install the CA cert
that you get your cert from in the Local Machine Trusted Root. The
best that will happen is that it ends up in the "Intermediate
Certification Auth" folder, which is useless, as far as I can tell. I
cannot get IPsec to work unless my CA cert is trusted.
Just how in the hell are normal users supposed to use this Cert
Services webtool? I can barely make heads or tails of it all as an
administrator! Why isn't there just a button that says, "Request
IPsec Cert", which then just installs everything automagically where
it is supposed to go? Especially if the user has admin privs on their
own machine, why not let that happen?
Also, with the MMC snapins... when I drag a cert from one bin to
another, and the cert has been marked with an exportable private key,
why the heck doesn't the tool move everything for me as if I went
through the export/import hell written above? Also, if moving a cert
is going to cause me the loss of the private key, how come the tool is
not warning me about this?
Argh... I was having to set up a multi-page document with about 40
screen shots to distribute to users to get them set up for remote
access, and that was *BEFORE* this bug. This is f-ing ridiculous, and
needs to be massively simplified.
-todd-