ISA Server 2000 cannot access an imported SSL certificate

When a computer that is running Microsoft Internet Security and Acceleration Server (ISA) 2000 tries to access a Secure Socket Layer (SSL) certificate that is imported from a Web server, you may receive an error message that is similar to the following:You may also find the following event ID message logged in the application event log:

Event Type: Error Event
Source: Microsoft ISA Server Control Event
Category: None
Event ID: 12260
Date: 08-01-2004
Time: 10:56:59
Computer: ComputerName
Description: Fatal error occurred when attempting to access 'certificate-name' certificate private key. For more information about this event, see ISA Server Help. The error code in the Data area of the event properties indicates the cause of the failure.

Note In this event ID message, ComputerName is a placeholder for the actual computer name.

This problem occurs if one of the following conditions is true:

• The SSL certificate and its corresponding private key are not imported to the correct ISA Server certificate and private key store.
• The SSL certificate is moved from one certificate store to another certificate store. This action causes the SSL certificate to separate from its corresponding private key.

Note When you publish an SSL site in ISA Server, you export the SSL server certificate with its corresponding private key from the Web server. You then import the SSL server certificate with its corresponding private key to the ISA Server certificate and private key store. This process makes ISA Server behave as the internal Web server by binding the SSL server certificate to the Incoming Web Requests listener that is used to accept client requests for the Web server.

To resolve this problem, follow these steps:

1. Export the SSL certificate and its corresponding private key to a file. To do this, follow these steps:
   1. In the Microsoft Management Console (MMC), open the Certificates snap-in.
   2. Locate the SSL certificate that you imported from the Web server.
   3. Right-click the SSL certificate, point to All Tasks, and then click Export.
   4. In the Certificate Export Wizard, click Next.
   5. Under Do you want to export the private key with the certificate, click Yes, export the private key.
   6. Click Personal Information Exchange � PKCS # 12 (.PFX), and then click Next.
   7. Type a password in the Password box, type the password again in the Confirm password box, and then click OK.
   8. In the File name box, type a name for the file that you want to export or click Browse to locate a file, and then click Next.
      
      Note Remember the location that you specify in the File name box.
   9. Click Finish.
2. After you export the SSL certificate to a file, delete the SSL certificate and its corresponding private key from the certificate store.
3. Import the SSL certificate and its corresponding private key to the correct certificate and private key store. To do this, follow these steps:
   1. In the MMC, open the Certificates snap-in.
   2. Double-click Certificates.
   3. Right-click the Personal certificate store, point to All Tasks, and then click Import.
   4. In the Certificate Import Wizard, click Next.
   5. Type the name of the file that you want to import in the File name box.
      
      Note The file name that you type in the File name box is the same file name that you used to export the certificate in step 1h.
   6. Type the password that you used in step 1g in the Password box.
   7. Click to select the Mark the private key as exportable check box.
   8. Make sure that the Place all certificates in the following store option is selected and that the Personal certificate store appears in the Certificate store box.
   9. Click Next, and then click Finish.

This problem also occurs if the system permissions on the RSA folder are changed manually or are changed by using a Group Policy object (GPO). The SYSTEM group must be assigned the Full Control permission for the certificate installations to function as expected.

To assign the Full Control permission on the RSA folder, follow these steps:

1. Right-click the RSA folder that is located in the following folder:
   Documents and Settings\ALLUSERS\Application Data\Microsoft\Crypto
2. Click Properties, and then click Security.
3. In the Name list, click SYSTEM.
4. In the Permissions list, click to select the Full Control check box, and then click OK.

For additional information about setting permissions on certificates folders, click the following article number to view the article in the Microsoft Knowledge Base: For additional information about setting up ISA Server to host Web sites by using the SSL protocol, click the following article number to view the article in the Microsoft Knowledge Base: