As part of creating self-signed certificate, we use the following code:

var enroll = new CX509Enrollment();
enroll.InitializeFromRequest(cert);
enroll.CertificateFriendlyName = friendlyName;
string csr = enroll.CreateRequest(); // may fail with ACCESS DENIED

The latter is a call to COM method IX509Enrollment::CreateRequest(). If you are not running with elevated privileges, it will return with “access denied”, because it wants write access to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates. Note, that in latest versions of Windows most programs run without elevated privileges, even if current user has administrator rights. The program executing the above code must be specifically started via “run as administrator”.