Wednesday, January 9, 2008

makecert.exe error: Can't create the key of the subject

I hit a snag while trying to create a certificate for WCF work today. I was following directions on another blog, but every time I tried to create the certificate I would get this error:

Can't create the key of the subject ('<some guid>')

Each time I tried, the GUID would change.

I'm not sure why it is happening, but I did find a workaround. The directions I was following were to create the certificate in the "LocalMachine" certificate store using the following command:

makecert.exe -sr LocalMachine -ss MY -a sha1 -n CN=Client -sky exchange -pe

After some trial and error I discovered I was able to create the certificate in the current user store instead using the following command:

makecert.exe -sr CurrentUser -ss MY -a sha1 -n CN=Client -sky exchange -pe

I thought I would post this message to hopefully save others the effort.
Note to the makecert developers: Please provide more useful error messages.

UPDATE:
I discovered the source of the problem! For some reason, I did not have the appropriate permissions to the directory where the certificates are stored. If you are getting the same error that I was getting, try granting your account (or the admin group, etc.) full control permission to the following directory:

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

For more information, see Microsoft KB article Q278381

4 comments:

Naziya Khan said...

Thanks! your post helped me for sure !

Unknown said...

Thanks!
I had exactly the same Problem - creating a certificate for WCF service.
Your post saved me hours for searching!

BTW, yesterday makecert put the newly generated certificates into directory "C:\Users\gz\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-452922241-2776708937-1870220006-1000", today it put the certificate into "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" - strange, thats why yesterday it worked well but today not. -
Again thanks for your post
(I use Win7RC.)

Placebo said...

Running your command prompt as administrator, can remedy this problem aswell.. man this stuff takes some patience :-)

Michael said...

Saved me. Thanks.

Makecert sure could use some decent error messages...