IIS and ASP.NET Information and Tips from Microsoft Developer Support

“ASN1 bad tag value met” error when processing a certificate request in IIS 7

“ASN1 bad tag value met” error when processing a certificate request in IIS 7

  • Comments 50



We’ve seen a few instances of the following error message on 64 bit servers when IIS 7.0 is attempting to process a pending certificate request:


Complete Certificate Request

There was an error while performing this operation.


CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b (ASN: 267)



This error seems to mean that the private key (created when the certificate request was made) does not match the public key (the .crt file).  The keypair is not successfully joined into a working SSL certificate.


So far this behavior seems most common with .crt files (instead of the .cer files many of us are more used to) issued by one specific Certification Authority—which will remain nameless here.


The error shows up after reaching the point in the process where you 'specify certificate authority response' and guide the wizard to the  'File name containing the certification authority's response...' (the .crt file).  


So far there seem to be two solutions.


Solution 1:


Verisign has a support article that matches this error message: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=S:SO8467&actp=search&searchid=1219125132143.  Their recommendation seems to be to replace the certificate with a new one.   This method has worked for at least one of my customers in this place with a GoDaddy certificate.  All they had to do was make a new certificate request (CSR text file), log into the the Godaddy web interface and re-key (we chose re-key rather than re-issue) their certificate.  The new file processed fine.


Solution 2:


Begin by importing the .crt file into the Personal certificate store for the local computer.  (Start button > Run:  MMC > File Menu > Add/Remove Snap-in > highlight Certificates snap-in and click the ADD button > select Computer Account and click Finish >  Click OK > drill into Personal > Certificates >  right-click and select All Tasks > select Import > guide to the .crt file.)  At this point your certificate is basically a half-certificate.  It is still missing its private key.


Second, double-click the crt certificate file you just imported, select the Details tab, scroll all the way down to Thumbprint and highlight Thumbprint.  In the lower pane, block and copy all the letters of the thumbprint.  Paste the thumbprint characters into notepad.  Open the command prompt and run this command: Certutil /?

The command you’ll want to run is:


certutil -repairstore my "{insert all of the thumbprint characters here}"


When you see the response: “CertUtil: -repairstore command completed successfully” you should have a private key associated with the .crt file in the personal store. There should no longer be any need to run through the “Complete Certificate Request…” wizard.  The certificate should show up in the IIS Manager’s list of server certificates at this point.  It should also be available in the SSL Certificates drop-down list when attempting to edit the https binding for a website.  


Incidentally, a common way of attempting to deal with this error is to take the .p7b file from the Certification Authority and import the CA's certificates into the Trusted and Intermediate stores.   As far as I can tell, this approach has no useful effect upon this problem.  


Other relevant links:







Leave a Comment
  • Please add 2 and 6 and type the answer here:
  • Post
  • Thanks a lot. Solution 2 solved my problem!

  • When I attempt to run the certutil command on SBS2008 I get a permission error stating this command requires elevated priviledges to run.  Administrator privs are required to run this command.  Since the Administrator account is disabled/dissappears in SBS2008, I tried using the netword admin account and it gets the permissions error.  Am I missing something

  • Thank you. Solution 2 worked for me with a GoDaddy SSL cert.  

  • The second approach using certutil (under elevated privs on win2008 web edition) is getting an access denied :

    No key provider information

    Cannot find the certificate and private key for decryption.

    CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808)

    CertUtil: Access denied.

    Guess I'll need to try option 1 then :(

  • solution 2 did not work with Godaddy without the following modifications on server 2008 on the last step

    certutil -repairstore "My" "insert all of the thumbprint characters here"

    Basically put quotes "My" and don't put the {} marks where the thumbprint goes.  Thanks.

  • I believe I have found the cause of the problem.  If you are renewing an existing certificate (when I say renew I am not referring to the renew certificate function which most instructions warn against, but rather creating a certificate request from an existing certificate), when you complete the certificate request, you MUST right click on the existing certificate and select complete from the context menu.  If you attempt to right-click in an open area of the window and select complete request from that context menu, or if you delete the original certificate first and therefore can only right click in the open area of the window, you will receive this message.  

    If you have in fact deleted the original certificate, then you must follow the first procedure outlined above to rekey the certificate. Then you will be able to right click in the open area and select complete from that context menu.

  • Option 2 worked for me as well except it didn't give it a name... just blank.  Still worked.

  • When I try this I get prompted to enter a smartcard.  When I cancel out of that (we don't use smartcards) the certutil command fails with an ACCESS DENIED message.

    We don't use smartcards so I'm not sure why I'm being prompted for this.

    Anybody know anything about this?

  • Thanks a ton. Solution 2 rocks.

  • Same here, thanks so much for Solution #2 - you saved a lot of headache and downtime!

  • Many thanks for this solution. #2 worked perfectly for me.

    Also, even though the Name for the cert is blank in IIS, this can be remedied through the MMC.

    start -> run -> mmc -> File -> Add/Remove Snap-in -> select Certificates etc.

    Then go to Certificates -> Personal -> Certificates -> select the desired cert, right click, properties -> set a friendly name. Easy.

  • I tried option 1 first, that did not work.  Then tried option 2 which did work.  Thank you.

  • Thanks a lot! # 2 worked great!!!!

  • awesome my friend.. thank u so much... really option 2 was the one that worked for me. also on another forum they had said that copy from current to local account but that didnt work for me as the certutil command would complain that it could not find the certificate and private key for decryption. By doing the add-in and guiding to the .cer file, cert util worked fine...

  • Amazing!! Option 2 worked for me as well!

    Thanks again!

Page 1 of 4 (50 items) 1234