search cancel

Error: "Failed to generate package. Object reference not set to an instance of an object" using self-signed certificates and creating a CEM agent installation package


Article ID: 159366


Updated On:


IT Management Suite


When using self-signed certificates and creating a Cloud-enabled Management (CEM) agent installation package you get the following error.

Failed to generate package. Object reference not set to an instance of an object.


ITMS 7.6, 8.0, 8.1, 8.5


When using self-signed certificates, a certificate should exist in the Trusted Root Certification Authority Store on the Notification Server named:

<Server Name>.<Domain>.local Agent CA

If you open the certificate and review the General tab, you should see a private key shown for the certificate.

If you are missing the private key you will get the error noted above when generating the CEM agent package.

A common cause for the missing private key is that when exporting a certificate, you are given an option to export the private key. If you select yes to this you will see a screen with a checkbox asking if you want to delete the private key if the export is successful. Checking this option will remove the original key when the certificate has been successfully exported and cause package creation to fail. 


Cause 2:
This error regarding "Object reference not set to an instance of an object" can be also caused by the Application Identity (Altiris Service Account) did not have needed permissions on the folder ProgramData\Microsoft\Crypto\RSA\MachineKeys, especially after switching Application Identity accounts and the new account is lacking rights to the RSA folder.


If you successfully exported the certificate you should have a copy of the certificate that has the private key. Delete the old certificate on the Notification Server and import the copy containing the private key.

Also make sure the private key is exportable when importing the certificate into the Trusted Root certificates under the local machine. This is needed for signing of other certificates.


Resolution 2:

Follow below steps:

  1. Browse to the following location: C:\ProgramData\Microsoft\Crypto\RSA\
  2. Right click on 'MachineKeys' directory and select Properties.
  3. Select Security.
  4. Click Edit.
  5. Select Add.
  6. Give the Application Identity Account name.
  7. Assign, at minimum, the following:
    • Modify
    • Read & Execute
    • List folder contents
    •  Read
    • Write
  8. Click on Check Names and click OK.
  9. Click Apply and select Continue and click OK.

NOTE: After hitting apply, "Access Denied" errors may appear on as many as 5 subdirectories. This is normal in many situations, click accept.