6

I am attempting to import a certificate into my current user's personal certificate store, since my server is required to sign certain requests it makes and the suggested instructions were to do this. I was able to do this successfully on a development machine, but was not able to do it on another machine, as an option is grayed out:

Enable strong private key protection. You will be prompted every time the private key is used by an appication if you enable this option" checked off and grayed out.

What configuration can I change on this machine (I have admin access) to fix this?

Edit: Further Details
I am using the certificate import wizard, which can be launched via the certificates mmc (all tasks -> Import...) or by double-clicking the certificate or by right-clicking and selecting install. Actually, it can also be launched from IE in the Content tab. I've tried all of these methods of installing, and they all work the same. The certificate is a .p12 file.

Note that adding a certificate to the local machine rather than to the current user does allow me to uncheck this option and create a low security certificate, but I wish to add it to Current User.

Brian
  • 303
  • 1
  • 3
  • 15
  • Can you explain how you are importing the certificate? Is it packaged as a PKCS#12? – Dan Carley Jul 30 '09 at 15:51
  • @Dan: Explanation Added. I have tried importing the certificate after packaging it as other types of certificates, but this doesn't really make a difference. For some reason the personal store doesn't want to include unprotected certificates that have a private key. – Brian Jul 30 '09 at 16:32
  • While importing a certificate, strong private key protection is by default enabled (It has been grayed out). How to disable the strong private key protection? I tried using Nick Headland solution, but this solution did not help. –  Oct 20 '11 at 04:50
  • @AbhishekJoshi: I recommend asking a new question and referencing this one to it from being closed as a duplicate. This is an old question with an accepted answer, so nobody is going to notice your comment except me. – Brian Oct 20 '11 at 15:07

1 Answers1

9

In the Local Security Policy of the machine, there is a policy called:-

System Cryptography: Force strong key protection for user keys stored on the computer

Setting this to "User input is not required when new keys are stored and used" enabled this option, whereas it was previously greyed out when set to "User must enter a password each time they use a key".

Once the certificate is added, setting this policy back did not affect the certificate, only the option within the import wizard.

Hope this solution works for you too.

  • 1
    To save a google search for others start --> run --> Gpedit.msc and then go to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Option and set System Cryptography: Force strong key protection for user keys stored on the computer to “User input is not required when new keys are stored and used” or in the registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography ForceKeyProtection to 0 if you don't have group policy editor access but do have registry access – Bbb Jul 05 '22 at 16:27