CertEnroll::Cx509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b

Recently while installing a SSL certificate on IIS 7.0 I got this error message

CertEnroll::Cx509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b

I could not complete the certificate request via IIS manager.

But strangely after this error the certificate was placed in the Other People certificate store.

Only certificates that are stored in the Local Computer store can be used in IIS.

SSL

 

To restore the certificate to the Local Computer store you can load the two Certificates MMC (Local Computer & Local User). Drag it out of the Other People store and drop it under the Local Computer > Personal > Certificates.

But if you double click the certificate you will see that the private key is missing. Without a private key the certificate is worthless as even if you configure it on your website in IIS you will end up getting Page Cannot Be Displayed.

Now if the request for the certificate was issued from the same machine you can use the command below to restore the private key for your certificate.

certutil –repairstore my “00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f”

The sequence in the quotes is the thumbprint of the SSL certificate.

thumbprint

This should restore the private key for that certificate. You should see a “You have a private key that corresponds to this certificate” message when you open it .

Now the certificate is installed in your Local Computer certificate store so you go into your website properties and assign the certificate by changing the bindings settings.

Bookmark and Share

Comments

  • Anonymous
    November 25, 2008
    PingBack from http://blog.a-foton.ru/index.php/2008/11/25/certenrollcx509enrollmentp_installresponse-asn1-bad-tag-value-met-0x8009310b/

  • Anonymous
    November 29, 2008
    This was amazingly helpful. I had this exact issue, and nowhere was there help to be found - not Verisign, not Microsoft. This post had me up and running in about 30 seconds.

  • Anonymous
    December 04, 2008
    The comment has been removed

  • Anonymous
    December 06, 2008
    WOW!  Great article.  Like the other posters I had the SSL problem and was up and running following this exactly.  Thanks A LOT man!! =]

  • Anonymous
    December 09, 2008
    Following your post fixed the problem in 2 minutes after I wasted 2 hours with certificate and the issuer. Thank You, Thank You, Thank You!!!

  • Anonymous
    December 30, 2008
    The comment has been removed

  • Anonymous
    January 03, 2009
    We’ve seen a few instances of the following error message on 64 bit servers when IIS 7.0 is attempting

  • Anonymous
    January 06, 2009
    Also with me this helped. If you have the same error? Try this solution out.

  • Anonymous
    February 11, 2009
    I have no "other people" folder.  Suggestions?

  • Anonymous
    March 10, 2009
    Great! I was nearly desperate, because I had never had problems with ssl-certificates on different Linux- and IIS6-Webservers. Thank you very much for this article! Kind regards, Volker

  • Anonymous
    April 07, 2009
    This is a very odd error you discovered. Your work-around likely saved me hours. There is a special place in the after-life for people like you.

  • Anonymous
    May 19, 2009
    I have no "other people" folder. What do I do? Regards Pablo. pgonzalez@fsnsolutions.com.au

  • Anonymous
    May 21, 2009
    Pablo Check this http://support.microsoft.com/kb/959216

  • Anonymous
    December 21, 2009
    how do i get to the screen shown?

  • Anonymous
    February 04, 2010
    Good job Buddy really saved my neck. Works like a charm !!! Thanks

  • Anonymous
    March 12, 2010
    You saved me on this.  GoDaddy was no help at all.  Thanks.  

  • Anonymous
    April 28, 2010
    Thanks Vijay , Very userful information for fixing certificate for unpaired priovate key.

  • Anonymous
    September 06, 2010
    Thanks! To load the two Certificates MMC (Local Computer & Local User), this is helpful: msdn.microsoft.com/.../ms788967.aspx just drag and drop the certificate to Local Computer > Personal > Certificates. Run the repair with your own thumbprint, and ready in 30 seconds!!

  • Anonymous
    October 13, 2010
    Great article, very helpful. Thanks.

  • Anonymous
    November 12, 2010
    It would have been a great time saver if OP would have posted how to get to the console screen or that the snap in is not installed by default!@!!@!@  Thank so much to Arno for posting the link on how to do this and install the snap in.  

  • Anonymous
    December 14, 2010
    This worked great. I instead skipped the step of trying through IIS, since it always fails on me, so I just import the SSL into the local computer personal certificates folder, and run the script to repair based on the thumb print. One less step, just as effective. Thanks again, T

  • Anonymous
    May 17, 2011
    Thanks NK, very useful tip, you are a lifesaver.

  • Anonymous
    July 25, 2011
    3 years and still a working solution :) thanks

  • Anonymous
    January 20, 2012
    THIS. SAVED. MY. BIG. TIME!!! Thanks! :)

  • Anonymous
    April 16, 2013
    Saved my hide ! Great job - thanks a ton !

  • Anonymous
    July 03, 2013
    I get a "Insert smart card"? What now?