Give a more helpful error when registry permissions are insufficient

If you try to inject a cert into a CryptoAPI store that doesn't have sufficient permissions, you'll get a confusing error "ncdns.certinject: Couldn't open cert store: Access is denied."  It would be useful to actually tell the user which registry key is missing the needed permissions, and which permissions are actually needed.