Installation of a certificate authority certificate fails with error message "Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)".

Assume the following scenario:

• A certification authority (Enterprise Certification Authority) integrated into Active Directory is installed.
• Delegated permissions are used to install the certificate authority. Thus, the installing user is not a member of the Enterprise Administrators group.
• After the certification authority certificate is issued by the parent certification authority, it is installed to complete the role configuration.
• The installation of the certificate authority certificate fails with the following error message:

Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)

Cause

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

This error occurs when the installing user does not have write permission to the NTAuthCertifcates object in the Active Directory forest.

The certification authority certificate is included in this object when it is installed - even if it is subsequently be removed again directly, this step cannot be left out.

Follow-up error: duplicate certification authority certificate

If you run into the error, you will have to go through the process of installing the certificate authority certificate again. Unfortunately, this will cause the certificate to be entered into the certification authority configuration multiple times and the certification authority service will stop the startup with the error code ERROR_INVALID_DATA will refuse.

To remove the multiple instances, the duplicate entries must be removed from the CACertHash registry key. This is located in the following location:

HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\{Common-name-of-certification authority}

Duplicate entries must be removed.

Afterwards, the certification authority service must be restarted.

Please note that there will also be two copies of the same certification authority certificate under C:\Windows\System32\CertSrv\CertEnroll.

Related links:

• Editing the NTAuthCertificates object in Active Directory
• Removing old certification authority certificates from the configuration of a certification authority
• The certification authority service does not start and throws the error message "The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)".