Monday, January 21, 2013

"Fail to create SQL Server Certificate" during installation

When installing ConfigMgr 2012 SP1 on SQL Server 2012 with Cumulative Update 2 installed, the following error can be showed: "Fail to create SQL Server Certificate, ConfigMgr installation cannot be completed". 

Looking in the logfile the following errors are showed:
  • Failed to create machine certificate on server <ConfigMgr FQDN>
  • Failed to create certificate on server <ConfigMgr FQDN>
  • Failed to create SQL Server <ConfigMgr FQDN> certificate remotely 

Not seen any error like this before. Prerequisites where all fine. Why this error is showed during installation? Looking on MS TechNet I found the following post: SCCM 2012 won't install due to SQL Server Certificate

Just make sure the following is configured:
  • The account used for the installation and the computer account of SCCM2012 have to be members of the local admins group on SCCMDB2012 and need also sysadmin rights in SQL.
  • Just make sure you configure the SQL services to run under a domain user account rather than as local system or network service. Running SQL under a domain user follows MS best practices.
  • If you already face a failure in installation then delete the registry key which generated during installation of SCCM(HKLM\SOFTWARE\Microsoft\SMS).

After following above steps run setup again. This time "Generating public key and SQL Server certificate" should not give an error anymore.


  1. This issue can also be due to following scenario, root domain, child domain, cas running in root domain with remote SQL and root domain accounts for SQL services
    child domain trying to install a primary over Windows 2012 R2 and SQL 2013 Standard 2102, SQL running root domain accounts, ERROR Failed to create machine certificate on server Solution, Create and RUN SQL services with child domain accounts instead of root domain accounts

    1. Your suggestion helped me, thank you!

      My issue was our SQL services were configured to use domain accounts from domain B while I was working in Domain A. Despite there being a trust in place, it would fail each time until I configured the services to run as a domain accounts from Domain A.

  2. I am trying to install a SCCM CB (1606--using an eval from the Technical Evaluation Center) copy. My CAS is in the forest root domain. I had a stand-alone primary site in the forest root, but expanded the CAS to include it. ALL went fine.

    Then I tried to add another child primary to the CAS in the forest root from a child domain. Now I repeatedly got the error, even after doing all the steps Henk suggested.

    So, I did what V-Juanm said. It worked!!! I had previously run the SQL Server service on the forest root SQL admin account. I created a child domain SQL Admin account, and then changed it to run the new primary (in the child domain) SQL Service. That did it.