Import Certificate into User Trusted Root Certificate Store – How to Guide

certificatewindows

When trying to import a certificate into the User trusted root certificate store we get the error:

“The import failed because the store was read-only, the store was full, or the store did not open correctly" CertMgr error

This appears to work for only one person in the organisation who is a global admin and does not work for anyone else in the organisation (including GA's). This did work prior to migrating from traditional on prem AD to AzureAD.

We have also tried to drag and drop the certificate into CertMgr rather than simply importing and that did not work either, see error here

Other steps that we have tried are: elevating user to GA and local admin neither of which worked.

Running Windows 10, and AzureAD.

Best Answer

This is because of applied GPO which prevents from this. It is configured under Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Certificate Path Validation Settings as shown below. When selected checkbox is unchecked, then Trusted Root CAs store becomes read-only and is not used by certificate chaining engine to build the chain.

If you are an administrator in your company, then you need to review policy set (use rsop.msc or gpmc.msc) and identify which policy configures this setting. Update the policy as you need.

enter image description here

Related Topic