Well. It seems the entire internet has never seen this error before.
I have a Windows Enterprise PKI infrastructure. I have made a copy of the CEP Encryption template, and changed the security permissions on the template so that the machine account that I am using has READ; ENROLL; and AUTOENROLL permissions. I also, as a domain admin, have full permissions. I modified the template and changed the compatibility to Win 8.1 / Server 2012 R2, and changed the Subject Name setting which is set to "Supply in the request," to also include "Use subject information from existing certificates for autoenrollment renewal requests." Finally, I changed the Request Handling options to "Authorize additional service accounts to access the private key."
The goal is to request this certificate manually, the first time, then have it auto renew in the future.
Now, in the Certificate Management console of Windows Server 2016, I requested a new certificate, specified the subject name, and was able to complete the request successfully. The private key obtained the proper service account permissions. Then, I tried to renew the certificate by right-clicking and choosing either of the options "renew with same key" and "renew with new key." Nothing is asked from me, just to click Next.
Both fail with an error:
Enrollment error The specified file is read only. Any ideas?
