Skip to main content

Why is the option to export my Certificate private key greyed out?

Applies to

Microsoft IIS 5.0, 5.1, 6.0, 7.0, 7.5 (Windows 2003 R2, Windows 2008 and Windows 2008 R2)


When trying to perform an export function using Windows Certificate Snap In from the MMC the option to include the private key is 'greyed' out.


You need to or have your Systems/Server Administrator reset the permissions on pertinent key containers.


In order to view these hidden files you must turn on the Display hidden files and folders option in Windows

1. Click Appearance and Themes, and then click Folder Options.

2. On the View tab, under Hidden files and folders, click Show hidden files and folders.

How to reset permissions

1. Open Microsoft Windows Explorer.

2. Locate the %SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder for Windows 2003 or %SystemDrive%\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys for Windows 7 and 2008, 2008R2.

3. There are several files located in this folder. Each file in this folder corresponds to a key container. Try to open each with Notepad.

4. If you receive an Access Denied error message when you try to open a file, open the properties of the file, and then take ownership of it. Reassign the Administrator account Full access.

Repeat step 4 for each file in this folder. You should then be able to start the System Attendant service.


You must also ensure that the system account has full control of all of these files.