Err Msg: Internet Explorer Was Unable to Import This Certificate

ID: Q182054

The information in this article applies to:

IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SYMPTOMS

When you attempt to import a digital certificate into Internet Explorer from another browser, you may receive the following error message:

   Internet Explorer was unable to import this certificate.

CAUSE

This error message can occur if you are attempting to import a 1024-bit key (high grade) or greater digital certificate, and you are not running the 128-bit version of Internet Explorer.

RESOLUTION

To resolve this behavior, upgrade to the 128-bit version of Internet Explorer. To obtain the 128-bit Internet Explorer Upgrade, please visit the following Microsoft Web site:

   http://www.microsoft.com/ie/download/?/ie/download/128bit.htm

MORE INFORMATION

The 128-bit Internet Explorer Upgrade installs the Rivest-Shamir-Adleman (RSA) certificate provider. With the RSA certificate provider, you can import high grade digital certificates into Internet Explorer in PFX format.

You can import only 512-bit key (low grade) digital certificates into Internet Explorer.

Additional Information

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).

Note that this behavior can also occur if a previously exported 1024-bit key (high-grade) is improperly imported into a different system.

When this occurs, the 128-bit Cryptographic Service Provider (CSP) is not registered as the default provider. When you try to import the 1024-bit certificate onto a 1024-bit system, it does not work because it is trying to make a call to the default 512-bit base (exportable) provider, which does not accept strong cryptograhic key sizes (>512 bit).

To correct this problem, change the following registry key:

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider
      Types\Type 001

      Name = "Microsoft Base Cryptographic Provider v1.0"

      to

      Name =  "Microsoft Enhanced Cryptographic Provider v1.0"

This behavior can also occur if the user key for the certificate you are trying to import already exists in the following registry key:

   HKEY_CURRENT_USER\Software\Microsoft\Cryptography\UserKeys

To work around this behavior, delete the appropriate user key in the above registry key.

Additional query words: 4.00 4.01

Keywords          : kbenv kberrmsg msiew95 msient msiew98 
Version           : WINDOWS:
Platform          : WINDOWS
Issue type        : kbprb

Last Reviewed: March 20, 1999