Windows10 Professional 64-bit can not install CA certificate

[wickpwn]

C:\WINDOWS\system32>mkcert -install
Using the local CA at "C:\Users\pwn\AppData\Local\mkcert" ✨
ERROR: add cert: Failed adding cert: The access control list (ACL) structure is invalid.

I tried to search for google-related unsolvable (ACL) issues, but did not find a suitable solution.

[modernist]

+1. Running the tool with administrator privileges and setting the security permissions on the AppData\Local\mkcert folder does not help either.

[mdkozlowski]

Same problem, both with binary built from source in Go 1.11.4 and on the pre-built binaries.

[adamdecaf]

cc @cretz Do you have any ideas?

[cretz]

Hrmm, I haven't used the tool in a bit. I will investigate at some point this week. I wonder if a recent update caused this as I had used it with success many times on win 10 before.

[cretz]

I am having trouble replicating on win10 pro. It works fine for me. Y'all's error message appears to be from CertAddEncodedCertificateToStore and my research says it is due to some registry ACLs. I see a post with suggestions on resetting some ACLs to fix it, but I can definitely understand a fear of blindly trusting it.

If I must I can give a tiny bit of Go code or C++ code or whatever that y'all can pass to MS since this seems to be a Windows error.

[cretz]

If someone wants to try it since I cannot replicate, download SubInAcl, then run:

"c:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /keyreg HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates

Click to see my output to compare

=======================================================================================
+KeyReg HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
=======================================================================================
/control=0xc00 SE_DACL_AUTO_INHERITED-0x0400 SE_SACL_AUTO_INHERITED-0x0800
/owner             =system
/primary group     =system
/audit ace count   =0
/perm. ace count   =13
/pace =cryptsvc         ACCESS_ALLOWED_ACE_TYPE-0x0
        INHERITED_ACE-0x10
    Type of access:
        Full Control
    Detailed Access Flags :
        KEY_QUERY_VALUE-0x1        KEY_SET_VALUE-0x2          KEY_CREATE_SUB_KEY-0x4
        KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10            KEY_CREATE_LINK-0x20       DELETE-0x10000
        READ_CONTROL-0x20000       WRITE_DAC-0x40000          WRITE_OWNER-0x80000
/pace =cryptsvc         ACCESS_ALLOWED_ACE_TYPE-0x0
        CONTAINER_INHERIT_ACE-0x2      INHERIT_ONLY_ACE-0x8           OBJECT_INHERIT_ACE-0x1         INHERITED_ACE-0x10
    SubKey - Type of Access:
        Full Control
    Detailed Access Flags :

/pace =builtin\users    ACCESS_ALLOWED_ACE_TYPE-0x0
        INHERITED_ACE-0x10
    Type of access:
        Read
    Detailed Access Flags :
        KEY_QUERY_VALUE-0x1        KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
        READ_CONTROL-0x20000
/pace =builtin\users    ACCESS_ALLOWED_ACE_TYPE-0x0
        CONTAINER_INHERIT_ACE-0x2      INHERIT_ONLY_ACE-0x8           INHERITED_ACE-0x10
    SubKey - Type of Access:
        Special acccess : -Read
    Detailed Access Flags :
        GENERIC_READ-0x80000000
/pace =builtin\administrators   ACCESS_ALLOWED_ACE_TYPE-0x0
        INHERITED_ACE-0x10
    Type of access:
        Full Control
    Detailed Access Flags :
        KEY_QUERY_VALUE-0x1        KEY_SET_VALUE-0x2          KEY_CREATE_SUB_KEY-0x4
        KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10            KEY_CREATE_LINK-0x20       DELETE-0x10000
        READ_CONTROL-0x20000       WRITE_DAC-0x40000          WRITE_OWNER-0x80000
/pace =builtin\administrators   ACCESS_ALLOWED_ACE_TYPE-0x0
        CONTAINER_INHERIT_ACE-0x2      INHERIT_ONLY_ACE-0x8           INHERITED_ACE-0x10
    SubKey - Type of Access:
        Full Control
    Detailed Access Flags :

/pace =system   ACCESS_ALLOWED_ACE_TYPE-0x0
        INHERITED_ACE-0x10
    Type of access:
        Full Control
    Detailed Access Flags :
        KEY_QUERY_VALUE-0x1        KEY_SET_VALUE-0x2          KEY_CREATE_SUB_KEY-0x4
        KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10            KEY_CREATE_LINK-0x20       DELETE-0x10000
        READ_CONTROL-0x20000       WRITE_DAC-0x40000          WRITE_OWNER-0x80000
/pace =system   ACCESS_ALLOWED_ACE_TYPE-0x0
        CONTAINER_INHERIT_ACE-0x2      INHERIT_ONLY_ACE-0x8           INHERITED_ACE-0x10
    SubKey - Type of Access:
        Full Control
    Detailed Access Flags :

/pace =creator owner    ACCESS_ALLOWED_ACE_TYPE-0x0
        CONTAINER_INHERIT_ACE-0x2      INHERIT_ONLY_ACE-0x8           INHERITED_ACE-0x10
    SubKey - Type of Access:
        Full Control
    Detailed Access Flags :

/pace =all application packages         ACCESS_ALLOWED_ACE_TYPE-0x0
        INHERITED_ACE-0x10
    Type of access:
        Read
    Detailed Access Flags :
        KEY_QUERY_VALUE-0x1        KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
        READ_CONTROL-0x20000
/pace =all application packages         ACCESS_ALLOWED_ACE_TYPE-0x0
        CONTAINER_INHERIT_ACE-0x2      INHERIT_ONLY_ACE-0x8           INHERITED_ACE-0x10
    SubKey - Type of Access:
        Special acccess : -Read
    Detailed Access Flags :
        GENERIC_READ-0x80000000
/pace =S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681     ACCESS_ALLOWED_ACE_TYPE-0x0
        INHERITED_ACE-0x10
    Type of access:
        Read
    Detailed Access Flags :
        KEY_QUERY_VALUE-0x1        KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
        READ_CONTROL-0x20000
/pace =S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681     ACCESS_ALLOWED_ACE_TYPE-0x0
        CONTAINER_INHERIT_ACE-0x2      INHERIT_ONLY_ACE-0x8           INHERITED_ACE-0x10
    SubKey - Type of Access:
        Special acccess : -Read
    Detailed Access Flags :
        GENERIC_READ-0x80000000


Elapsed Time: 00 00:00:00
Done:        1, Modified        0, Failed        0, Syntax errors        0
Last Done  : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates

That's just a guess, there are other registry keys that may be touched too. Based on that previous answer, if anyone having this problem is willing, please run the following and see if it fixes it:

"c:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators

and

"c:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /keyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators

[wickpwn]

如果有人想尝试，因为我无法复制，请下载SubInAcl，然后运行：

"c:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /keyreg HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates

点击查看我的输出进行比较

这只是猜测，还有其他注册表项也可能被触及。基于之前的答案，如果有任何人有这个问题，请运行以下内容，看看是否修复它：

"c:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators

和

"c:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /keyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators

Hello, I found this answer yesterday, but still can not solve, I checked the folder permissions no problem, the problem has been submitted to Microsoft, I hope they can give a solution!

[wickpwn]

Solution: Switch to the highest privilege account Administrator to install successfully, you can not switch to other accounts under the highest account installation, so the certificate will still be invalid, please ensure that the system under the highest privilege account operates.
Iis related tutorial:https://medium.com/@aweber01/locally-trusted-development-certificates-with-mkcert-and-iis-e09410d92031
@cretz The mentioned SubInAcl only supports the following systems: Windows 2000, Windows Server 2003, Windows XP

[swiftdv8]

@wickpwn solution is not working for me: Im logged in as my admin account and running mcert -install in an Admin Command prompt and still getting

ERROR: add cert: Failed adding cert: The access control list (ACL) structure is invalid.

ive tried with a couple of different mkcert releases with the same result

Please let me know if there is something I missed

[wickpwn]

@wickpwn解决方案对我不起作用：我作为我的管理员帐户登录并mcert -install在管理命令提示符下运行并仍然获得

错误：添加证书：添加证书失败：访问控制列表（ACL）结构无效。

香港专业教育学院尝试了几个不同的mkcert版本，结果相同

如果我错过了什么，请告诉我

按照这个操作解决（https://answers.microsoft.com/zh-hans/windows/forum/all/%E5%AE%89%E8%A3%85ca%E8%AF%81%E4%B9%A6%E5%A4%B1/e23cc521-b3f7-4ac6-8519-b75a11b944ac）

[natiki]

FWIW #148 I used the Scoop install and then a regular user account and Powershell and had no issue. My user account is part of the administrator user group. No other changes needed.

[axi0m]

I ran into the same error.

OS Version

Major  Minor  Build  Revision
-----  -----  -----  --------
10     0      18362  0

My workaround was to simply take the rootCA.pem file and import using the same Administrator PowerShell prompt I had open to install mkcert via choco, via PowerShell cmdlet

Import-Certificate -FilePath C:\Users\<redacted>\AppData\Local\mkcert\rootCA.pem -CertStoreLocation Cert:\LocalMachine\Root

[rfay]

We mkcert -install on both Win10 Pro and Win10 Home all the time, and most ddev windows users do as well. Haven't heard of trouble. And it doesn't require admin privs either.

[aszalacinski]

I am not getting a failure on mkcert -install but the root ca was not installed into the local Trusted Root Cert Auth; Manually importing the rootCA.pem did the trick. Is there more verbose logging that can be enabled?