After a Windows Active Directory domain migration, users attempting to enroll for an X.509v3 native certificate receive the error message "0-Certificate Request Error: Please close out your web browser and try again. If problem persists, contact help desk for assistance".
Following the completion of a Windows Active Directory domain migration, users may no longer have the necessary privileges to their certificate store, preventing acceptance of a new certificate.
To resolve this issue, perform the steps below on the impacted workstations:
All of the certificates in the certificate store must be deleted to resolve the 0-Certificate Request Error issue. Any certificates you wish to retain need to exported before the instructions below are executed. For information on how to export a certificate, see the following Microsoft documents [Windows 7] [Windows XP].
1. Navigate to the Windows User Private Key Storage directory located at %APPDATA%\Microsoft\Crypto\RSA (for roaming profiles %APPDATA%\Roaming\Microsoft\Crypto\RSA).
2. Delete the contents of the directory inside which will have the name of the users SID (e.g. S-1-5-21-2807450274-1270290436-441385562-1183).
3. Ensure the permissions for the directory in step 1 are set properly for the user account.
Once the steps above are complete, have the user try enrolling for a certificate again.