Environment
Situation
When running the aspnet_iisreg utility, an error is reported: Failed to open certificate key, check the ACL on the RSA folder.
The Security Manager Install log will report an error: ERROR Communication.InstallCertificate: Failed to install the certificate: SelfSignedCertificate::Create: failed to create the self-signed certificate: 'Error opening key container 'NetIQ Security Manager': The handle is invalid.
Resolution
In order to update the certificate the Local Administrators Group, on the CC must have full control permissions to the following windows 2003 folders:
..\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA
..\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\Machine Keys
In order to update the certificate the Local Administrators Group, on the CC must have full control permissions to the following windows 2008 folders:
..\Progdata\ All Users\Application Data\Microsoft\Crypto\RSA
..\Progdata\ All Users\Application Data\Microsoft\Crypto\RSA\Machine Keys
It might also be necessary to use a windows account that is a member of the local administrators on the local machine, to take ownership of the folders before modifying the permissions.
After changing the permissions, rerun the following command, from the Command Prompt interface (CMD):
<Path to .NET Framework install on local drive of the CC>\aspnet_regiis -pa "NetIQ Security Manager" "<Domain>\<Security Manager Service Account>"
Cause
During the install process, the windows installer for Security Manager will attempt to install a self signing certificate in the local machine certificate store on the Central Computer. This can occur, during an Uninstall and subsequent reinstall of the NetIQ Security Manager Central Computer software.
Additional Information
The SM installer also requires that the Installing user and the Service account both are members of the Local Administrators group on the CC.
For more information on Certificates and their storage location, see the following MS Article:
http://msdn.microsoft.com/en-us/library/bb204778(VS.85).aspx .
For more regarding the ASPNET_IISREG utility and certificates, see netiq NETIQKB42271, for information regarding the ASPNET_IISREG utility and certificates.