Try this:

1) In Windows, right click on the .pfx/.p12 file and run through the
certificate import wizard.
2) Import into the personal store for the user you are logged in as
3) Open MMC. Add 2 Cert Manager snap-ins. One for the computer
account, the other for the user account.
4) Drag the cert you just imported from the personal store in the user
account and drop to the personal store for the computer account

This was on w2k3 SP1 from console. I stumbled across this by accident
after running into a similar problem trying to import a cert for IIS
made the same way using pkcs12. Funny that even after I imported it to
my own personal store, I couldn't export, then import it to the
computer personal store without that stupid error. Hooray for drag and
drop.

Hopefully this will work for you too!

- Glen

Andrew Tridgell wrote:
> I'm hoping someone on the list can help me work out some issues with
> the automated TLS certificate generation in Samba4.
>
> I have now generalised the tls code in Samba4, so we have a lib/tls/
> subsystem that is used by both our internal LDAP code (both client and
> server) and our internal web server.
>
> As I have mentioned previously, sites that have real certificates will
> be able to use those, but smbd will auto-generate self-signed
> certificates for sites that don't.
>
> Mostly recently I have been trying to test our ldb tools using ldaps
> against a w2k3 server. To do that I need to install a certificate on
> w2k3 for the windows LDAP server to use. If I don't have a certificate
> installed on w2k3 then I get the following in the event log:
>
> LDAP over Secure Sockets Layer (SSL) will be unavailable at this
> time because the server was unable to obtain a certificate.
>
> So, I would like to install the certificates that have been auto
> generated by smbd into a w2k3 server. To do that I have run:
>
> openssl pkcs12 -export -in cert.pem -inkey key.pem -certfile ca.pem \
> -name "Samba" -out samba.p12
>
> Then double-clicked on the samba.p12 in windows. That launches the
> certificate install wizard. Unfortunately it gives me an error like
> this:
>
> An internal error occurred. This can be either the user profile is
> not accessible or the private key that you are importing might
> require a cryptographic service provider that is not installed on
> your system.
>
> I suspect one of the following possible problems:
>
> 1) w2k3 cannot handle certificates generated by gnutls.
>
> 2) I am not passing some mandatory option to gnutls when generating
> the certificate, and thus end up leaving off some important
> attribute in the generated certificate.
>
> 3) the conversion to a p12 file using openssl is broken.
>
> I have placed the certificates and generated p12 files in
> http://samba.org/~tridge/tls/ and I would greatly appreciate it if
> someone more knowledgeable about TLS certificates on windows than I am
> could take a look at them and see if they can spot the problem. The
> password on the p12 file is "samba".
>
> Cheers, Tridge

Well so much for the drag and drop! It appeared to work such that the
cert was *there*, but it failed to load saying the private key was
inaccessible. Which sent me down this path...

%SystemRoot%\Documents and Settings\All Users\ Application
Data\Microsoft\Crypto\RDA\MachineKeys

"Administrators" and "System" should have full control. Also any
account that runs the service that will be accessing the key such as
"Network Service".

Anyway, once I added these permissions everything worked. I was able
to import the .pfx file directly into the computer certificate store.

- Glen