000036856 - Unable to access client certificate, or failed to read its private key in RSA NetWitness Endpoint

Document created by RSA Customer Support Employee on Oct 23, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036856
Applies ToRSA Product Set: NetWitness Endpoint
RSA Product/Service Type: NetWitness Endpoint
RSA Version/Condition: 4.4.x, 4.3.x, 11.x
Platform: Windows
IssueIn order to create an agent, you need agent certificates during the installation process. If the agents have failures with the listed certificates, such as the private key not being exportable, then the following error is seen when clicking Generate Agent:
"Unable to access client certificate, or failed to read its private key"

CauseThis error is caused by either certificate permissions issues, or much more likely, the certificate was imported into the Private certificates store without the two certificates, the Client and Server certificate respectively, having their private key marked as exportable.

The Agent Packager needs the private key to be able to be exported so the agent can properly validate itself to the server; without this, the packager cannot generate an agent.
  1. Go to Run and type MMC in Windows;
  2. Select File Add/Remove Snap-In and select Certificates
  3. Click Add>Computer Account>Next>Finish>OK
  4. Expand Certificates, you should see something like below:
    • User-added image
  5. Right-click the client/agent certificate and select all tasks> export
  6. Select Next and you will see two options, Yes, export the private key or No, do not export the private key.
NOTE: IF the Yes, export the private key is greyed out, then it means the certificate was imported WITHOUT SELECTING TO ENABLE EXPORTING THE PRIVATE KEY. This is a critical step when generating and importing the certificate initially, and is important when updating and replacing the certificate as well.


The fix for this is to import the certificate correctly. It needs to be in .pfx format, and when importing go into MMC:

  1. Select the Private folder and right-click>All Tasks> Import
  2. Browse to the folder and select the pfx file for the Agent certificate, and then repeat this for the Server certificate
  3. During the import, after selecting Next, there is a check mark that says: "Mark this key as exportable. This will allow you to back up or transport your keys at a later time." This part is critical; it will not work without this being checked. Select Next and Finish.
Now when you check the exportable attribute, it should not be greyed out, as seen in the steps performed earlier. Once this is true for the two certificates, no further issues in generating the agents should be seen, which can be verified by clicking Test Connection in the Agent Packager.