DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

The option: "Yes, export the private key" is greyed out

Solution ID : SO1335
Last Modified : 11/01/2023


  • "Yes, export the private key" option is greyed out, after the Key/CSR pair has been generated.
  • Certificate installed with no errors, but cannot export the private key.
  • Cannot export my private key file. The option next to, "Yes, export the private key" is greyed out.'
  • Cannot backup the key because the option to, "Yes, export the private key" is greyed out.


This problem occurs because the System and Administrator accounts do not have sufficient permissions or the Administrators group does not have ownership of the directory %SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder.

Get top-of-the-line support tailored to your unique business needs.


You need to or have your Systems/Server Administrator reset the permissions on these key containers.

Note: In order to view these hidden files you must turn on the Display hidden files and folders option in Windows. To display hidden files and folders, perform the following steps:
  1. Click Start, point to Settings and then click Control Panel.
  2. Click Appearance and Themes, and then click Folder Options.
  3. On the View tab, under Hidden files and folders, click Show hidden files and folders.

To reset the permissions on these key containers use the following steps:

  1. Open Microsoft Windows 2000 Explorer.
  2. Locate the %SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder.
  3. There are several files located in this folder. Each file in this folder corresponds to a key container. Try to open each with Notepad.
  4. If you receive an Access Denied error message when you try to open a file, open the properties of the file, and then take ownership of it. Reassign the Administrator account Full access.
  5. Repeat step four for each file in this folder. You should then be able to start the System Attendant service.


Note: You must also ensure that the system account has full control of all of these files. If the System Attendant continues to not start, you may need to repeat this process on all of the domain controllers in the domain.


More information:

Note: The directory above assumes a clean install of Windows 2000. 

If you have a computer which was upgraded from Windows NT 4.0 then the directory is as follows:

%SystemRoot%\Profiles\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys


The Windows 2000 server's key container does not have enough permission to modify the private key. The Server has been setup as a Domain Controller, which resets the default system level permissions to various areas of the server.

Some of this information was taken from a similar issue, found in Microsoft knowledge base article 280432 (previously known as Q280432).

Note: This solution applies windows 2000, windows xp, and Vista. Although for XP you need to configure file sharing following MS article: How to configure file sharing in Windows XP.