Knowledgebase: SSL Technical FAQs
ASN1 bad tag value met. 0x8009310b

Question:

I get CertEnroll::Cx509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b on IIS 7 and I am unable to install my SSL certificate.

Answer:

This can be a result of IIS placing the certificate in the wrong certificate store or forgetting where it places the private key, in many cases it gets placed in Other People Certificate store for the Current User account. Only certificates that are stored in the Personal Section of the Local Computer store can be used in IIS.

Option #1: Repair a damaged certificate. (Recommended Option)

  1. Open up DOS prompt (cmd.exe) 

  2. Type: certutil -repairstore my "VALUE OF THUMBPRINT OR SERIALNUMBER"

    Note: If you're unsure of how to find either the THUMBPRINT OR SERIAL please follow these instructions. Also, sometimes the certificate is not available and needs to be imported in order for this command to work. If you receive an error, ensure the SERIAL and or THUMBPRINT you are using are the EXACT ones listed in your certificate as sometimes Windows will throw in one or more question mark characters, causing this to fail.
     
  3. Go back into the IIS Manager and re-edit the bindings for this site. (Where you can select the certificate)

    Note: Sometimes, you will get an error, so just ignore the error and try again. When trying again, the certificate may already be selected and nothing else needs to be done. If you do not see the certificate in the list, you may need to give it a friendly name within the MMC by editing its properties.


Option #2: Restore Certificate to the Local Computer Store (Should only be used if Option #1 doesn't work)

  1. Open the Certificate Snap-In from within the MMC (Microsoft Management Console)
    Start -> Run -> Type "mmc" -> File -> Add/Remove Snap-in -> Add -> Certificates

  2. Add Current User account.
    My User Account -> Finish.

  3. Add Local Computer account.
    Computer account -> Local Computer -> Finish.

  4. Close Add Standalone Snap-in.

  5. Click Ok.

  6. Now you should have a screen similar to this:



  7. Drag the certificate that will not install, out of the Other People store and drop it under the Local Computer -> Personal -> Certificates.

    Do not close out of the MMC at this time.

  8. Open up a command prompt.
    Start -> Run -> Type cmd.

  9. Type: certutil -repairstore my "THUMBPRINT_OF_CERTIFICATE". (with quotes)

  10. You should now have the private key back on the certificate so now open up IIS and assign it to your website.

    Note: If you're unsure of how to find the thumbprint please follow these instructions.

 

(1922 vote(s))
Helpful
Not helpful
Comments (0)