Articles in Root

Server Certificate option is Greyed Out in IIS Directory Security


When you try to generate a certificate signing request (CSR) using IIS, the "Server Certificate" button is greyed out.



There are two main reasons why the "Server Certificate" button is greyed out.  Both solutions are shown below in the order you should try them.

Solution 1 - Make sure it is the Properties of the top level website

In IIS, you must make sure that you are at the top level website.  This can usually be denoted by its Website Globe symbol in IIS.  You cannot create an SSL certificate for the (folder) or the IIS Virtual Directory(virtual directory) as they fall underneath the website.

Solution 2 - Register the Xenroll.dll

The Xenroll.dll file is not properly registered.  On Windows servers, Xenroll.dll is located in the \Winnt\System32 directory.  The steps below explain how to register Xenroll.dll.

  1. Open Windows Explorer and navigate to the C:\WINDOWS\system32.  Once there, locate the file, Xenroll.dll.
  2. Leave the Windows Explorer window open for now and click Start and click Run.  In the entry field, type in Regsvr32 into the text box.
  3. Once Regsvr32 is typed in, go back to the Windows Explorer window and drag and drop the Xenroll.dll file into the Run field.  It should then look something like Regsvr32 C:\WINDOWS\system32\xenroll.dll
  4. Click ok and you shoudl get a window that says, "DllRegisterServer in C:\Windows\system32\xenroll.dll succeeded."

If registering the Xenroll.dll file does not resolve the issus, then you will also have to register the following additional files using the same steps as above.

  • C:\WINDOWS\system32\inetsrv\certmap.ocx
  • C:\WINDOWS\system32\inetsrv\certwiz.ocx

After you have done any of the steps mentioned above, you will need to close the IIS Properties window, and then open the properties for the Web site you want to create a CSR for.  Verify that you can create a certificate request.