Installation of a certificate authority certificate fails with error message "Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)".

Assume the following scenario:

• A certification authority (Enterprise Certification Authority) integrated into Active Directory is installed.
• Delegated permissions are used to install the certificate authority. Thus, the installing user is not a member of the Enterprise Administrators group.
• After the certification authority certificate is issued by the parent certification authority, it is installed to complete the role configuration.
• The installation of the certificate authority certificate fails with the following error message:

Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)

Cause

This error occurs when the installing user does not have write permission to the NTAuthCertifcates object in the Active Directory forest.

The certification authority certificate is included in this object when it is installed - even if it is subsequently be removed again directly, this step cannot be left out.

Follow-up error: duplicate certification authority certificate

If you run into the error, you will have to go through the process of installing the certificate authority certificate again. Unfortunately, this will cause the certificate to be entered into the certification authority configuration multiple times and the certification authority service will stop the startup with the error code ERROR_INVALID_DATA will refuse.

To remove the multiple instances, the duplicate entries must be removed from the CACertHash registry key. This is located in the following location:

HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\{Common-name-of-certification authority}

Duplicate entries must be removed.

Afterwards, the certification authority service must be restarted.

Please note that there will also be two copies of the same certification authority certificate under C:\Windows\System32\CertSrv\CertEnroll.

Related links:

• Editing the NTAuthCertificates object in Active Directory
• Removing old certification authority certificates from the configuration of a certification authority
• The certification authority service does not start and throws the error message "The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)".