- Q201. I want to use my certificate to send signed mail,
so I am trying to move it to the HKEY_LOCAL_MACHINE section of the
registry using the CertMover sample application. However I keep getting
the error "Bad Key". Why?
A. For a public/private key pair to be movable, it must have been
created with the CRYPT_EXPORTABLE flag. Once a key pair is created
you cannot set this flag. The only way out is to generate a new (exportable) key pair
and apply for a new certificate. We have provided an online form
at www.aspencrypt.com/get_cert.htm which will help you with that.
- Q202. When I call
Set Context = CM.OpenContext("mycontainer", True)
it sometimes generates the following error. How do I fix that?
Persits.CryptoManager.1 error '800a0001'
Keyset does not exist
A. Windows NT: This is a permission issue. The current user (such as IUSR_xxx)
does not have sufficient permissions to
access the specified key container in the registry. To fix this problem, open regedt32
(not regedit!), open the hive HKEY_LOCAL_MACHINE and highlight the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MachineKeys\<container name>.
Select Security/Permissions from the menu and make sure Everyone has Full Control over this key.
In Windows 2000 key containers are stored in the file system rather than registry.
See Q204 for more info.
- Q203.
I want to use the LogonUser method to impersonate an admin
account in order to be able to access a certificate or entry in the registry. However,
I always get the error
Persits.CryptoManager error '0x800a001c'
A required privilege is not held by the client.
A. Windows NT/IIS4: Most probably, your virtual directory has the "Run in separate memory
space" option checked. This causes Windows NT to disallow calling LogonUser
unless the user has the privilege "Act as Part of Operating System". You
have two options: disable "Run in separate memory space" for this virtual
directory, or grant this privilege to all the users of your application
such as IUSR_xxx (go to User Manager, select Policies/User Rights, check
"Show Advanced User Rights", select "Act as Part of Operating System",
add desired users). We recommend that you reboot after that.
Windows 2000/IIS5: Run Internet Services Manager.
Right-click your virtual directory and select "Properties".
On the "Virtual Directory" tab, set the "Application Protection" option to Low. If the option is disabled, click on the "Create" button first.
- Q204.
On a Windows 2000 server,
I am getting the error Object already exists
when calling OpenContext("containername", True ). How should I fix that?
A. It is a permission problem. See Knowledge Base article
Q246459
for a solution.
If your machine had previously had Windows 2000 Beta 2 installed, you should apply
the procedure described in this KB article to the directory
%WINDIR%\Profiles\All Users\Application Data\Microsoft\Crypto\RSA\Machinekeys
instead.
- Q205. Why is Server.CreateObject generating the error message
Server object error 'ASP 0177 : 8002801d'
Server.CreateObject Failed
Library not registered.
A. This error usually occurs because of tight security settings in the HKEY_CLASSES_ROOT section of the registry. To fix the error, run regedt32 and select the key
HKEY_CLASSES_ROOT\TypeLib\{B72DF063-28A4-11D3-BF19-009027438003}
From the Security menu, select Permissions. Add Everyone to the permission list and assign Full Control to the Everyone account. Make sure the settings propagate to the sub-keys as well.
