mkcert failed adding cert: Access is denied.

[davidsiagian]

Hi, I tried to use mkcert on Windows. However when I use mkcert -install, it is failed because access is denied. I dont know the problem because I use cmd as administrator.

[Strandedpirate]

On windows mkcert -install must be executed under elevated Administrator privileges. Open the command prompt as Administrator and try again.

[arafel]

Hi From the image it doesn't look like that cmd is being run as admin; did you right-click on the "command prompt" entry in the menu and choose "run as administrator"? When I do that, it looks like the image attached - note the "Administrator:" in the window title.

[davidsiagian]

@arafel @Strandedpirate Hi, thanks for your respond. My bad, I forgot to give image with cmd run as administrator. I couldn't find any source with help.

[julian-code]

I have the same issue.

[jbleyaert]

I also have this issue.

[Alcadramin]

same

[fabianberisha]

same

[verfault]

i have this issue too.

[adem]

Looks like this is a permission issue with the keys stored in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys. When I try to modify the permissions of the parent folder to give the administrator full control for not just the folder, but also its sub-items, I get the following similar error: I haven't been able to resolve the situation yet. I even deleted the files altogether and rebooted, to no avail.

[adem]

Workaround

Until more is known about this issue, you can use the following workaround to install the CA:

1. Press Windows+R and run certmgr.msc
2. Right-click on Trusted Root Certification Authorities > All Tasks > Import... (At this point, the Store Location was greyed out, and Current User was preselected for me)
3. Click Browse... > point it to the rootCA.pem file usually located in %localappdata%\mkcert > Next. When in doubt, double-check the output of mkcert -install to find out the root CA path.
4. Select Place all certificates in the following store > Browse... > Check Show physical stores > Expand Trusted Root Certification Authorities > Select Local Computer > OK > Next > Finish
5. The message The import was successful. should appear > Click OK
6. Verify that your CA is recognized:

Note

If you don't explicitly select the physical store Local Computer, you'll very likely run into the following error message, so make sure not to skip that part. This might be linked to the mkcert -install issue we run into.

[cheslijones]

I have a similar issue. I was able to mkcert -install, but now I'm unable to do anything related to mkcert:

[rfay]

@cheslijones that's mkcert being unable to reaad the CA that's in your own home directory. You need to change the permissions on that directory (AppData\Local\mkcert, or consider deleting the whole directory and doing mkcert -install again. Or is C:\Users\work possibly another user's homedir?

[cheslijones]

Ok, l deleted and retried which worked. That is my homedir.

[LichLord91]

Until #453 is merged I created a PowerShell script a while back that'll install the RootCA certs for you and replace it if the thumbprints are different/tell you if its already installed. Feel free to use if it if its to your liking. Just run it in the same directory as the rootCA pem files

Gist link

[bstiffler582]

I was able to resolve this by adding the mkcert executable to the exclusions list in Windows Defender.