CertEnroll::Cx509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b

CertEnroll::Cx509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b

Rate This
  • Comments 26

Recently while installing a SSL certificate on IIS 7.0 I got this error message

CertEnroll::Cx509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b

I could not complete the certificate request via IIS manager.

But strangely after this error the certificate was placed in the Other People certificate store.

Only certificates that are stored in the Local Computer store can be used in IIS.



To restore the certificate to the Local Computer store you can load the two Certificates MMC (Local Computer & Local User). Drag it out of the Other People store and drop it under the Local Computer > Personal > Certificates.

But if you double click the certificate you will see that the private key is missing. Without a private key the certificate is worthless as even if you configure it on your website in IIS you will end up getting Page Cannot Be Displayed.

Now if the request for the certificate was issued from the same machine you can use the command below to restore the private key for your certificate.

certutil –repairstore my “00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f”

The sequence in the quotes is the thumbprint of the SSL certificate.


This should restore the private key for that certificate. You should see a “You have a private key that corresponds to this certificate” message when you open it .

Now the certificate is installed in your Local Computer certificate store so you go into your website properties and assign the certificate by changing the bindings settings.

Bookmark and Share

Leave a Comment
  • Please add 3 and 8 and type the answer here:
  • Post
  • You saved me on this.  GoDaddy was no help at all.  Thanks.  

  • Thanks Vijay ,

    Very userful information for fixing certificate for unpaired priovate key.

  • Thanks!

    To load the two Certificates MMC (Local Computer & Local User), this is helpful:


    just drag and drop the certificate to Local Computer > Personal > Certificates. Run the repair with your own thumbprint, and ready in 30 seconds!!

  • Great article, very helpful. Thanks.

  • It would have been a great time saver if OP would have posted how to get to the console screen or that the snap in is not installed by default!@!!@!@  Thank so much to Arno for posting the link on how to do this and install the snap in.  

  • This worked great. I instead skipped the step of trying through IIS, since it always fails on me, so I just import the SSL into the local computer personal certificates folder, and run the script to repair based on the thumb print.

    One less step, just as effective.

    Thanks again,


  • Thanks NK,

    very useful tip, you are a lifesaver.

  • 3 years and still a working solution :)


  • THIS. SAVED. MY. BIG. TIME!!! Thanks! :)

  • Saved my hide !

    Great job - thanks a ton !

  • I get a "Insert smart card"? What now?

Page 2 of 2 (26 items) 12